From 3d3b77ea7ea11719f3692ea2d8e37ad1d731fed7 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Mon, 8 Oct 2018 14:25:06 +0100 Subject: [PATCH 01/24] Specify how to handle rejected events in new state res It's possible for events in an an event's auth chain to be rejected due to not having passed auth (based on the state at the time), so we need to be explicit about how to handle that case. --- proposals/1442-state-resolution.md | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 1a2e82a35d2..6994196c5de 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -244,7 +244,8 @@ First we define: with an absent event to be unconflicted rather than conflicted) * The "**auth difference"** is calculated by first calculating the full auth chain for each state set and taking every event that doesn't appear in every - auth chain. + auth chain. (This includes any events in the auth chain that have been + rejected.) * The **"full conflicted set"** is the union of the conflicted state map and auth difference. * The **"reverse topological power ordering"**[^4] of a set of events is an @@ -269,18 +270,21 @@ First we define: ordered such that P is last. 1. We say the "closest mainline event" of an event is the first power level event encountered in mainline when iteratively descending through the - power level events in the auth events. + power level events in the auth events (including any power level events + that were rejected). 1. Order the set of events such that x < y if: 1. The closest mainline event of x appears strictly before the closest of y in the mainline list, or if 1. x's origin_server_ts is less than y's, or if 1. x's event_id lexicographically sorts before y's * The **"iterative auth checks"** algorithm is where given a sorted list of - events, the auth check algorithm is applied to each event in turn. The state - events used to auth are built up from previous events that passed the auth - checks, starting from a base set of state. If a required auth key doesn't - exist in the state, then the one in the event's auth_events is used. (See - _Variations_ and _Attack Vectors_ below). + events, the auth check algorithm is applied to each event in turn (ignoring + any events have been rejected). The state events used to auth are built up + from previous events that passed the auth checks, starting from a base set + of state. If a required auth key doesn't exist in the state, then the one in + the event's auth_events is used (unless the auth event has been rejected). + (See _Variations_ and _Attack Vectors_ below). + The algorithm proceeds as follows: @@ -436,6 +440,16 @@ a separate auth chain, and the difficulties that entails (like having to reapply the unconflicted state at the end). +### Rejected Events + +We include rejected events in the "auth chain difference" as they can still be +used to effect the ordering of events. This in turn means care must be taken to +filter rejected events out when applying the iterative auth checks. + +Note that no events rejected due to failure to auth against their auth chain +should appear in the process, as they should not appear in state. + + ### Attack Vectors The main potential attack vector that needs to be considered is in the From 4790432e50a3f0ca7487947ae6c6f15fbc144c93 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Tue, 9 Oct 2018 10:36:43 +0100 Subject: [PATCH 02/24] Update rejected events discussion --- proposals/1442-state-resolution.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 6994196c5de..e0efa698787 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -446,8 +446,25 @@ We include rejected events in the "auth chain difference" as they can still be used to effect the ordering of events. This in turn means care must be taken to filter rejected events out when applying the iterative auth checks. +An alternative would be to include rejected events during the iterative auth +checks, accepting that previously rejected events may be un-rejected. This has +the advantage that if different servers have different views of which events are +rejected they will be more likely to converge (rather than diverge). The +downside is the added complexity of un-rejecting events (on top of double +checking that this doesn't add any security vulnerabilities). + +We do, however, use rejected events when looking at the power level the sender +of an event has, in that we don't check if the event's power levels auth event +has been rejected or not. This is for ease of implementation and to help the +algorithm be more "convergent" in the face of different views of rejections. +Using rejected auth events here should be safe, as any revocation of power will +appear before the event in the iterative auth checks (due to the reverse power +topological ordering, and the fact that the revocation must be sent by a user +with a higher power level). + Note that no events rejected due to failure to auth against their auth chain -should appear in the process, as they should not appear in state. +should appear in the process, as they should not appear in state (an the +algorithm only uses events in one of the state sets or their auth events). ### Attack Vectors From 4df346a12d943d476ab7490d63c1b23bd21a6b0a Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Tue, 30 Oct 2018 11:00:47 +0000 Subject: [PATCH 03/24] Add metadata about update --- proposals/1442-state-resolution.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index e0efa698787..6f6b3a75d9a 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -1,3 +1,10 @@ +Author: Erik Johnston +Created: 2018-07-20 + +Updated: +- #1693: Clarify how to handle rejected events ─ Erik Johnston, 2018-10-30 + + # State Resolution: Reloaded @@ -47,7 +54,7 @@ which can be summarized into two separate cases: 1. Moderation evasion ─ where an attacker can avoid e.g. bans by forking and joining the room DAG in particular ways. -1. State resets ─ where a server (often innocently) sends an event that points +2. State resets ─ where a server (often innocently) sends an event that points to disparate parts of the graph, causing state resolution to pick old state rather than later versions. From 40d943f5842916de26b0ab33daa990038f99b485 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Tue, 30 Oct 2018 11:03:07 +0000 Subject: [PATCH 04/24] Clarify 'auth difference' definition --- proposals/1442-state-resolution.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 6f6b3a75d9a..bcc78922ae6 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -251,8 +251,7 @@ First we define: with an absent event to be unconflicted rather than conflicted) * The "**auth difference"** is calculated by first calculating the full auth chain for each state set and taking every event that doesn't appear in every - auth chain. (This includes any events in the auth chain that have been - rejected.) + auth chain (including events that have been rejected). * The **"full conflicted set"** is the union of the conflicted state map and auth difference. * The **"reverse topological power ordering"**[^4] of a set of events is an From 25fb09b991f07837f31eda654147ac783abf0241 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Tue, 30 Oct 2018 13:42:18 +0000 Subject: [PATCH 05/24] Fix up formatting --- proposals/1442-state-resolution.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index bcc78922ae6..596bb0d331b 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -1,13 +1,12 @@ -Author: Erik Johnston -Created: 2018-07-20 +- **Author**: Erik Johnston +- **Created**: 2018-07-20 +- **Updated**: + - #1693: Clarify how to handle rejected events ─ Erik Johnston, 2018-10-30 -Updated: -- #1693: Clarify how to handle rejected events ─ Erik Johnston, 2018-10-30 # State Resolution: Reloaded - Thoughts on the next iteration of the state resolution algorithm that aims to mitigate currently known attacks From 1f1ba28629d79ccadea616e2907c21ed31786026 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Wed, 31 Oct 2018 15:26:12 +0000 Subject: [PATCH 06/24] ACTUALLY! Let's just accept rejected events, because what's the worst that can happen?! --- proposals/1442-state-resolution.md | 56 ++++++++++++++---------------- 1 file changed, 27 insertions(+), 29 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 596bb0d331b..702b6bc32d7 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -250,7 +250,7 @@ First we define: with an absent event to be unconflicted rather than conflicted) * The "**auth difference"** is calculated by first calculating the full auth chain for each state set and taking every event that doesn't appear in every - auth chain (including events that have been rejected). + auth chain. * The **"full conflicted set"** is the union of the conflicted state map and auth difference. * The **"reverse topological power ordering"**[^4] of a set of events is an @@ -275,21 +275,18 @@ First we define: ordered such that P is last. 1. We say the "closest mainline event" of an event is the first power level event encountered in mainline when iteratively descending through the - power level events in the auth events (including any power level events - that were rejected). + power level events in the auth events. 1. Order the set of events such that x < y if: 1. The closest mainline event of x appears strictly before the closest of y in the mainline list, or if 1. x's origin_server_ts is less than y's, or if 1. x's event_id lexicographically sorts before y's * The **"iterative auth checks"** algorithm is where given a sorted list of - events, the auth check algorithm is applied to each event in turn (ignoring - any events have been rejected). The state events used to auth are built up - from previous events that passed the auth checks, starting from a base set - of state. If a required auth key doesn't exist in the state, then the one in - the event's auth_events is used (unless the auth event has been rejected). - (See _Variations_ and _Attack Vectors_ below). - + events, the auth check algorithm is applied to each event in turn. The state + events used to auth are built up from previous events that passed the auth + checks, starting from a base set of state. If a required auth key doesn't + exist in the state, then the one in the event's auth_events is used. (See + _Variations_ and _Attack Vectors_ below). The algorithm proceeds as follows: @@ -447,30 +444,31 @@ reapply the unconflicted state at the end). ### Rejected Events -We include rejected events in the "auth chain difference" as they can still be -used to effect the ordering of events. This in turn means care must be taken to -filter rejected events out when applying the iterative auth checks. - -An alternative would be to include rejected events during the iterative auth -checks, accepting that previously rejected events may be un-rejected. This has -the advantage that if different servers have different views of which events are -rejected they will be more likely to converge (rather than diverge). The -downside is the added complexity of un-rejecting events (on top of double -checking that this doesn't add any security vulnerabilities). - -We do, however, use rejected events when looking at the power level the sender -of an event has, in that we don't check if the event's power levels auth event -has been rejected or not. This is for ease of implementation and to help the -algorithm be more "convergent" in the face of different views of rejections. -Using rejected auth events here should be safe, as any revocation of power will -appear before the event in the iterative auth checks (due to the reverse power -topological ordering, and the fact that the revocation must be sent by a user -with a higher power level). +Events that have been rejected due to failing auth based on the state at the +event (rather than based on their auth chain) are handled as usual by the +algorithm. Note that no events rejected due to failure to auth against their auth chain should appear in the process, as they should not appear in state (an the algorithm only uses events in one of the state sets or their auth events). +This helps ensure that different servers' view of state is more likely to +converge, since rejection state of an event is may be different. This can happen +if a third server gives an incorrect version of the state when a server joins a +room via it (either due to being faulty or malicious). + +Intuitively using rejected events feels dangerous, however: + +1. Servers cannot arbitrarily make up state, since they still need to pass the + auth checks based on the events auth chain (e.g. they can't grant themselves + power levels if they didn't have them before). +2. For a previously rejected event to pass auth there must be a set of state + that allows said event. At which point, a malicious server could produce a + fork where it claims the state is that particular set of state, duplicate the + rejected event to point to that fork, and send the event. At which point the + duplicated event will pass auth. Therefore ignoring rejected events wouldn't + reduce any potential attack vectors + ### Attack Vectors From a6aab378f5628b82f918ec132420846b30bfac79 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Wed, 31 Oct 2018 15:26:54 +0000 Subject: [PATCH 07/24] Typo --- proposals/1442-state-resolution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 702b6bc32d7..11796a1ce47 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -449,7 +449,7 @@ event (rather than based on their auth chain) are handled as usual by the algorithm. Note that no events rejected due to failure to auth against their auth chain -should appear in the process, as they should not appear in state (an the +should appear in the process, as they should not appear in state (and the algorithm only uses events in one of the state sets or their auth events). This helps ensure that different servers' view of state is more likely to From b8a8d132b2fbd0d5186a85e0fbe472a7b4c99dc0 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 1 Nov 2018 11:41:06 +0000 Subject: [PATCH 08/24] Note why convergence is desirable --- proposals/1442-state-resolution.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 11796a1ce47..a07b67558e0 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -453,9 +453,13 @@ should appear in the process, as they should not appear in state (and the algorithm only uses events in one of the state sets or their auth events). This helps ensure that different servers' view of state is more likely to -converge, since rejection state of an event is may be different. This can happen -if a third server gives an incorrect version of the state when a server joins a -room via it (either due to being faulty or malicious). +converge, since rejection state of an event may be different. This can happen if +a third server gives an incorrect version of the state when a server joins a +room via it (either due to being faulty or malicious). Convergence of state is a +desirable property as it ensures that all users in the room have a (mostly) +consistent view of the state of the room. If the view of the state on different +servers diverges it can lead to bifurcation of the room due to e.g. servers +disagreeing on who is in the room. Intuitively using rejected events feels dangerous, however: From a80ff2f69fdbfde19620e0820ad7222b8ebe0dfd Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Mon, 5 Nov 2018 09:45:11 +0000 Subject: [PATCH 09/24] Don't use rejected auth events --- proposals/1442-state-resolution.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index a07b67558e0..c908d8d0d1b 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -285,8 +285,8 @@ First we define: events, the auth check algorithm is applied to each event in turn. The state events used to auth are built up from previous events that passed the auth checks, starting from a base set of state. If a required auth key doesn't - exist in the state, then the one in the event's auth_events is used. (See - _Variations_ and _Attack Vectors_ below). + exist in the state, then the one in the event's auth_events is used if the + auth event is not rejected. (See _Variations_ and _Attack Vectors_ below). The algorithm proceeds as follows: @@ -446,7 +446,7 @@ reapply the unconflicted state at the end). Events that have been rejected due to failing auth based on the state at the event (rather than based on their auth chain) are handled as usual by the -algorithm. +algorithm, unless otherwise specified. Note that no events rejected due to failure to auth against their auth chain should appear in the process, as they should not appear in state (and the @@ -473,6 +473,10 @@ Intuitively using rejected events feels dangerous, however: duplicated event will pass auth. Therefore ignoring rejected events wouldn't reduce any potential attack vectors +We specifically don't use rejected auth events in the iterative auth checks, as +in that case the auth events aren't re-authed like the rest of the events in the +list. + ### Attack Vectors From 6c9a433805894f6a237573b4eebd77101fe81273 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Mon, 10 Dec 2018 16:27:45 +0000 Subject: [PATCH 10/24] Add example of rejected events getting into state --- proposals/1442-state-resolution.md | 16 ++++++++++++++++ proposals/images/state-res-rejected.png | Bin 0 -> 7596 bytes 2 files changed, 16 insertions(+) create mode 100644 proposals/images/state-res-rejected.png diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index c908d8d0d1b..3796225d099 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -488,6 +488,8 @@ event. # Appendix +## Example 1 + The following is an example room DAG, where time flows down the page. We shall work through resolving the state at both _Message 2_ and _Message 3_. @@ -543,6 +545,20 @@ auth checks, and so the last topic, _Topic 4_, is chosen. This gives the resolved state at _Message 3_ to be _Topic 4_. +## Example 2 + +The following is an example room DAG, where time flows down the page. We assume +event `B` is initially rejected by the server (due to not passing auth against +the state, but does pass auth against its auth chain). + +![state-res-rejected.png](images/state-res-rejected.png) + +At `C` we first resolve the power levels, which results in `A`. When we then go +to resolve the topics against the partially resolved state Bob has ops, and so +the resolved state include the topic change `B`, even though it was initially +rejected. + + ## Notes [^1]: In the current room protocol these are: the create event, power levels, diff --git a/proposals/images/state-res-rejected.png b/proposals/images/state-res-rejected.png new file mode 100644 index 0000000000000000000000000000000000000000..057402d67a28d227948cdd7c31dddfccf9698426 GIT binary patch literal 7596 zcmZ8`2T)T@)HWf6-g`$nD8%HK>X+ziID-n3H+v$k3w=J(3^sGGGc+5!L$ta%hW@}|9XzAPN zU=0gRC;0}>Bb(~$d+O`zxBKfZqckhd!#+1Ttv;#WE|1t(KYtPQo*j+=WByMgrz%-> zX9|rVA|?J9ml1n5`)lq+1Q|g0B)^5#rexz%rjp5qPJ-+{@BrF0f8O;CQNw7zv8uzpx`~zy?JL=k`fCdu{jMLzn)wT4u(Kh-vzvG3ei$>>NDR78~Zu^NKn& z(d2jEp56Pa+Cns#=4*R;{zZA?bf+tJK6X&Qg~QTBCDtVFF`AuGd8DB2H@m5T^#y5A zhX)7esU+mMRc_;{>c)XEdIxs|jlG-$jlV`H07RfetY{B?F-#sgR;edOk!y3YY9n;N z9)}g@z1J7dxvLsnvG(cU)gt}ZA|s8#xo0HIawpsRUlqB|SCYUJ-fShZ^3S3Q|3BKb5j>aVI*qCsV1G z3G{-+V;!IZ%3QJQqUE+VKYWRDt3t!AQ6GawoRZyqz`0HHIS5H&CsQ7iSM8kU95kR# zKqshEfFaWW$Dr6x^BN!_v=zWM-S_xY(}{Q*)P-look+=@%G>=jMcDSngDSYa@yPO_iO8w-Z(I!a`{;8N48?M& zkAr#n9RC@$9rI>fOv~yH-Wl$i}hMwxl3q>4HY=Jrs4YW9`J(T)MOp@o=YybWEAJF<3Lk#k9L_lY=-FoC7LVv(F1&=;_5 zaZopiZY!#l^3xYLsd^V_q76)BbsG%hy!P-?9*ulZ3~`quT~Jk7A?sx;S(y`Ln);4r z!d*PZkKg?)Cp<;FOTJsG5(<^A{r%*cDj+7foC{S-GwJEvv`JV>sr1c+a8A8w_6J*f zR4IxYdaGnfSS1uPQpaPPTCUytODnjS9aWk*{7j~ldY5iDKEcf{I7(sr1+O0Qv0R3q zy}yE8T&=!mC@enfYj&+Gn6dazY(yNaIjo5rMf|7gK%wvrtB`#g@;e1y{5YAu_!31^ zV*5n9wS%qnf>t1>n*Ahjf8`E$S%7qUDL5lQ$=4#GrFP=kbv9@Sfa=BOebPV52hA z!)z@^o-`Y{AdVi_7Y_kQ6KO*4*8|q-?sJF`iB{umL<8mCQYz7gec-UXy@yVYJ*bk; zlxlzd*RTCAPQn=Ym&%r@Cp-OgG8VqI@8oA(ORalG$t*-E;f|q8ED&JUr5H13w6Z-^q2 z-eiLNT9pF}!^mtgroxL=m36^HnmS&=9>5#@s0<~OpjN6t>ph*Fl9}*6RcclKhZQvF z46#^TakvY$-GF191q+Y$c=BF6GIW*1RO|0HW|k>JuxsNUwm_Z=SgX*k)k`Wa_^$qW zxQE&ylU&RSyRDSJ1;+RC z@6wk1nWT2iA-zR)J=HI^`;BIOZ0=DK(M_^NVq^~^s1QvzCDA|?w)r&ydBB%B!8fko z4UCmFTjD%8n#r>j(~|cwh8fszFkpPU6d7lef$Ew?_w(O1aPqT96{yp6*FLE-KJaQ? zioP_GJ=OhacJ+l6fBKhMjvlh!pSo^q?8Z5WW$Nv9amG)$j_?{syXXHnn|Z)l z%eS3jnZ3Ag^n>-#v7NmGR^x3Ya>41zCF6H0dg5C%8kM=E_-q)h&LLJ^&XIZCsSfe` z_6<`N`&lzvl5Um@7p*sGcG1!9IyxbmmtiV+sylcHlG9Z|&c-ZLd9{AO<5(>tHmk)p zGmwx~Ak{UO;Vhd!+^hM)K2?S@ZrD@yZII7l!wsZtEQM38-X;_(UT6yS`<<=jZqFe+ zYouvKIiOWh|5E;qeeAn>i?ZqAb9j_oPqg;LuWKBy#EscnU@~le0`@G#Cz!XSN7SFh zzAB_s7#rj>pt0S;)tY|8ULrVGb^TmR@Ru}D6V|z|Srrwhl{4iiwy`P zm7N;95MGxIqLHCfOME7;y+bmD+y!iP$}tO{U9q%2Urj_ERVmZhWGaw1u&SE>+-x3k zNDI~HO^Y7VWP97hd~v(OcT+0wM`y)~8;ZWb^T4chchIeduMQ+={=l+5Z^ZLdnAiRd zXMsK&XNOZJC;obq>MynWt1CX}1Z%Q&^D?d5%yszo5(d|CO0MWnvI-Nw(o7$Fv12Z3 zm7@IGWypc2fbP(;{YTK)8?mJ@n{C;3h4qz@QJ6nRRMd(&+69Z40$tHR)jWLMPCK2* zx}jZW)^nwhud{BLd+_@KG9v9_yl(hz`-3^r`rnA4>|}FRhY>gi3HezZGO7 ztu0!6-)XGtXa-1ZzUDeFn6K|s#;vcL@R?66eY4+xZIB{^_O^GaV7z{g$iMnFxFG_a$Ot zN*-#tad)Ve9~fH9S&UB1mm7I$4q}a^3VaW0Mx3rLTBqnfr)AyR(K2^>4y#O?7pl=^ zU~a9A)(Ag9+%AfEc=}{NIKm?MdS&wbK1+Q)&0X^V3e*tq!d3<2$X& zt5lJcHS@(f(eHO8m0Hch2B#|~xw^_gpp~qLU+jy_D(qw^LMlIh>)7P5U9-WfdNNmN zXvF0Yv&q~KeX#e6yQJ1F;-G1_rZz;=>W+wD(C=Kr`qx_jR65-uCH~&pchdg6y*(K*e=EtzGu3)hwCV^m^bwMzap%V zz=FFx;#IlRzzp5$qS1QuY5`?VlY4O06N&Y}XwAzHG4ZVAGu$bh`+r%ax`2}OD`~7O z(pq0MUMUu+(05y`P&g#bk(we8BH@l=o5$3%{407gEENg6>yN4!rrm?PI?9ucL0;$6 z|5CbNChelPC7?VBn!*K}MEEV~B3r*7Tv*NW@21Ro6jtu`uZl)Wy?JWh!8#W^v!$F; zC(ozN>+y(K^k>+O*z9m9zjUiKY(71wDR5+kaoA}2z9~S&%<0dTk;k!l>KSd#u+!XS zmA5Q2NPQK;0i67pql&jJc$4Qv-^%S^O&L*zI}?ujYQt}5{;Dly-^oSfi=1Hu-Fs)e zLVIWjgzubnT~E$ct>VywIZu*PTZs`vBds=eUi28-r!u!gd+z7h_exiZ=%LEE300+amJel#GRi} zCIZWhJRYtOw=zRcOMkkHjjXYL>3PT~RUe_e8@qdXhhpHp6IJf30?+YVRQ3kN`?C=d zblR$%&LKz#MAVzbf?u(Gx7xn?J%t%sK0v_s&K=jI{QGX2i;l`{S zDWQOhEN&Z(`+H>le17>IfVY|DynGn9RCDYdAJ8$$AMVc~t5QV@`JF%H+cQI?KAS9g z8`rSMPBV@}j8xbxzw^AOBjbfxw)o^kO_|b)-0{sg9+QMrx6cflrq!>oKO=^&YK07t zKR+;5;7D}XuYe7AJe-bTH@KHN)4Q6!Ticeyqd{dLZE^x8s`;mzWqf%9aAWXW2^Gkm zLNRfC+5B6(LW#TbGP`UHiap>e+Fk zm`Weh;1RdB!uaEw=`@F_M_MZ}={bjdTJT5>OFm;=K<7Wm)FF6&(R3|}8g^vx1exi= zap)uG`ev|m0;RmbBmC_}asr&z@LERRxvXydrx^J)__Tzr+DeHJoi=P$zGpUqvH|oZ zDbOz8ajO||ryf}iW@;60)HyPISg8hag3Aobkd`D!3#MKaC#$WWQCPomHin8E{mJHd zq@3#O$Jc0w%G}cOxmktQM)XWA{V2drn~kCm>tq0XPETplFd3?Oqh_LQUd^Q?5;Dvs z$O-K~&A~{(_*c)F&S+SWBE2Q9kXn(yW;T%#?}RY^A^*!)Cgh`8d&%}9RyRBb7*VCIC1I~?29xI+{+#EDS0o#+QzIG^VVc5Zf4P?7;JQ2pGP1$o z9FkpnrhUJ_T!U2LAoDaO{9*1_R_iK!y^ZoXl;QmeZp9d-5?r};b6-e@;h>ar<7GJ8 z9`5+*_EX~L%dH=Xm_-@0kWT=iIx7*kgnu#S)^1o1spWtEkXF}&fXyY?U^*cK^9n-G zN&DkTw~ma@ALG4drRPAuULq*Lh3jN#svo^P%@rpSdO0a3BG*&pHA5tHq|$kF&fVxo z@;b$3s!jB`s!YTc4fF7%1LB+ z?n>ntdwft)v8Lazpnc3dI`?UI^|Ah#iknHwkJ}m^f{HgiD29A<{-w;faBEoU5eQ6VxXx(}DR?&B8x zsR@=xy^YDkE-Lj5IW_W|uebP)8}&t(Thh$AG9Me3|WTLG;Wc>Q4YaTau);j zKZMe}Xc#LyURyd9^mLZ*f9S|B-?6_lg%usgs!j4hza40j>>-uZdK4JPJ(5r>=^$6D zxXEVL5Nay3c!Pfo4|z!&TQU+9zWvkUOMU6W!H}C0T7wNE-g!O2) zgCr!dP2h5%annv}bZaqZBd@7SNW6$tP&utBLrY{l$Me<~hCa5@1-#m%BiCom!fHrx zQJbRvx-WxC@BY`Zk=It=YzMI~g08~pzZPis0O*8lx~GpRpc()>6D0Gu`OzFL zDPi-ZI|d~Ds}1{l_;jJ4dG=<(zx)D;!1snTelZ5i*pOd~meWW7|eJhw=z@UP%eLIeG?%Dy&!z zS(W<{&eRjVOf>C1Q?cGBPJbuaXYi4%A(W2FLp_^sNo&Z!Czzor6FpUQ?Q z+e-?;iAqFoc{_^aPgfdMa0(X1?U4x=OIfI|tLXMO=73V5!*E6VOID@r8Z{$KdEYT73v`2$l$MaV*;83ye-e{?xP_H7prxV_Cxb z`Jbv3_2qOwu_-?%OyOo{w%CTRulia254Wxx!ppnYjJKS_^Lf}1JqNs$cSs;{P3&I*_-lZK zgB|4Lg2*W-@GbC`2?>RIBj3Vbww^IM_6Jfl~%aQNw0&s*lkRYc0cM4-o0`BH9 zbq*L~MI`;UC<~rK(C32^YpvXWn0p^u^at1e#nj4VLT)2WN-^w~y4>lrO#h*Y2#VqV zl~Sa@bN&OARF?ej9tVYKbl5G?8af{Jba za$tGt1XXMz?nvR#KX~%C^R453A4uD)BeaJnYlmbr&?2B3c@swemP@=RIs5pw9#??) zp*TKBtQ^Y@H!hp9mYDvDwnYo-bM$7+xtM0`HziR-$do=FCvifQ|DimDujgl{|F?wz zYzD*|ph4o0HRjm_EP~9Ff?lsqpy%U6b6mr@-+*Wa!FmKgnNgE8>b0fA%wOG*AKI=* zX0xCK2j3ER`)QJ?WqDWq|L0|@mb{dJOoIhr>;kL2wGh3C$%eSASi}$5X=Eb4ATR1-kllZ578mD z3QXp=_9LA~(IJFd1QSl@TTh=gzGpVg9BXn7a(2M?5DFB43ElKRe1zL7PFdPPes!I& zi+w`n!YU;`d*^H*u~GjP3MsLsN$to$;N^X&;QZcdQlq}}UkcEv%9AoMh6JzU%n%wx z`j)degIk$^oJ|q;EZh7v#WGB8kCc=&r6eFnY8c>Pqo29bR8yy9xC?oHo%8SVvD%(H$+AGT2#El)z}gkTkUr3F5<_23?~`{t zIgCrvQzwL-sa0Z@T$on@YEuR99kK?NV~6?^LS8>5cdxojhgH9>+z`0Uu8ksx88AyFfXR7VHdnXa29vNM?dv*durlrU)- zm%ozEJcQU0|1Hp598lY!5-SZZ9|}tjIb%qfBt3FplhgX7Sxsv6b-Q7G$fEnwuRv?-&=`bh|C8U zZ16?@6bm7YJ-$D6=4rOyOd~<@biaGR)+0c$2hlFjHtXPQgYQXLx4`>3TWqEg@NKQ) zOP&YbrLrFTO6%ih;7HDsKZ@fNoDddCMWHn zNGC!b%`)(Tpts_-p5^mmxr5E{%7)aw9U6rH52C~E|W`TME zP)xha#PcyOOzizu2fAVN0wX7UABssiLieLJ^)~jVs6A-xK8A6W{B{DYXmildK{noF z;~(9 Date: Tue, 11 Dec 2018 10:11:55 +0000 Subject: [PATCH 11/24] Update proposals/1442-state-resolution.md Co-Authored-By: erikjohnston --- proposals/1442-state-resolution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 3796225d099..540285ca921 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -467,7 +467,7 @@ Intuitively using rejected events feels dangerous, however: auth checks based on the events auth chain (e.g. they can't grant themselves power levels if they didn't have them before). 2. For a previously rejected event to pass auth there must be a set of state - that allows said event. At which point, a malicious server could produce a + that allows said event. A malicious server could therefore produce a fork where it claims the state is that particular set of state, duplicate the rejected event to point to that fork, and send the event. At which point the duplicated event will pass auth. Therefore ignoring rejected events wouldn't From c581c6132e148050314da2799c43592b21c7602c Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 11 Dec 2018 10:12:18 +0000 Subject: [PATCH 12/24] Update proposals/1442-state-resolution.md Co-Authored-By: erikjohnston --- proposals/1442-state-resolution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 540285ca921..ed789215cb9 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -469,7 +469,7 @@ Intuitively using rejected events feels dangerous, however: 2. For a previously rejected event to pass auth there must be a set of state that allows said event. A malicious server could therefore produce a fork where it claims the state is that particular set of state, duplicate the - rejected event to point to that fork, and send the event. At which point the + rejected event to point to that fork, and send the event. The duplicated event will pass auth. Therefore ignoring rejected events wouldn't reduce any potential attack vectors From 539ca4cf15e7588771ae76cfff2d5e24580988a5 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 11 Dec 2018 10:12:29 +0000 Subject: [PATCH 13/24] Update proposals/1442-state-resolution.md Co-Authored-By: erikjohnston --- proposals/1442-state-resolution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index ed789215cb9..bded8e6e72d 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -470,7 +470,7 @@ Intuitively using rejected events feels dangerous, however: that allows said event. A malicious server could therefore produce a fork where it claims the state is that particular set of state, duplicate the rejected event to point to that fork, and send the event. The - duplicated event will pass auth. Therefore ignoring rejected events wouldn't + duplicated event would then pass the auth checks. Ignoring rejected events would therefore not reduce any potential attack vectors We specifically don't use rejected auth events in the iterative auth checks, as From f06455479d9adc6e77b11f198375dd53ad048f08 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 11 Dec 2018 10:12:39 +0000 Subject: [PATCH 14/24] Update proposals/1442-state-resolution.md Co-Authored-By: erikjohnston --- proposals/1442-state-resolution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index bded8e6e72d..891b11fccae 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -471,7 +471,7 @@ Intuitively using rejected events feels dangerous, however: fork where it claims the state is that particular set of state, duplicate the rejected event to point to that fork, and send the event. The duplicated event would then pass the auth checks. Ignoring rejected events would therefore not - reduce any potential attack vectors + eliminate any potential attack vectors. We specifically don't use rejected auth events in the iterative auth checks, as in that case the auth events aren't re-authed like the rest of the events in the From 612d8a66ef28b0b603a7b049f08e04cb85016695 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 11 Dec 2018 10:12:52 +0000 Subject: [PATCH 15/24] Update proposals/1442-state-resolution.md Co-Authored-By: erikjohnston --- proposals/1442-state-resolution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 891b11fccae..8eca1c9fbcd 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -473,7 +473,7 @@ Intuitively using rejected events feels dangerous, however: duplicated event would then pass the auth checks. Ignoring rejected events would therefore not eliminate any potential attack vectors. -We specifically don't use rejected auth events in the iterative auth checks, as +Rejected auth events are deliberately excluded from use in the iterative auth checks, as in that case the auth events aren't re-authed like the rest of the events in the list. From 77827814429fd3608c5a3ac96049bb3faa942016 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 11 Dec 2018 10:13:45 +0000 Subject: [PATCH 16/24] Update wording to be betterer Co-Authored-By: erikjohnston --- proposals/1442-state-resolution.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 8eca1c9fbcd..b50612eefe2 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -474,7 +474,7 @@ Intuitively using rejected events feels dangerous, however: eliminate any potential attack vectors. Rejected auth events are deliberately excluded from use in the iterative auth checks, as -in that case the auth events aren't re-authed like the rest of the events in the +auth events aren't re-authed during the iterative auth checks (although non-auth events are.) list. @@ -549,7 +549,7 @@ This gives the resolved state at _Message 3_ to be _Topic 4_. The following is an example room DAG, where time flows down the page. We assume event `B` is initially rejected by the server (due to not passing auth against -the state, but does pass auth against its auth chain). +the state), but does pass auth against its auth chain. ![state-res-rejected.png](images/state-res-rejected.png) From 8a3e7b751ce6591216d710c3ad642c807240340e Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Tue, 11 Dec 2018 10:33:02 +0000 Subject: [PATCH 17/24] Add missing apostrophe --- proposals/1442-state-resolution.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index b50612eefe2..f90533f8f26 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -464,7 +464,7 @@ disagreeing on who is in the room. Intuitively using rejected events feels dangerous, however: 1. Servers cannot arbitrarily make up state, since they still need to pass the - auth checks based on the events auth chain (e.g. they can't grant themselves + auth checks based on the event's auth chain (e.g. they can't grant themselves power levels if they didn't have them before). 2. For a previously rejected event to pass auth there must be a set of state that allows said event. A malicious server could therefore produce a From a8bd2f32fdcf8bd0761791e1474d2043aaa394c5 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Tue, 11 Dec 2018 10:37:31 +0000 Subject: [PATCH 18/24] Update example --- proposals/1442-state-resolution.md | 10 +++++----- proposals/images/state-res-rejected.png | Bin 7596 -> 22130 bytes 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index f90533f8f26..64a74d962db 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -547,15 +547,15 @@ This gives the resolved state at _Message 3_ to be _Topic 4_. ## Example 2 -The following is an example room DAG, where time flows down the page. We assume -event `B` is initially rejected by the server (due to not passing auth against -the state), but does pass auth against its auth chain. +The following is an example room DAG, where time flows down the page. The event +`D` is initially rejected by the server (due to not passing auth against the +state), but does pass auth against its auth chain. ![state-res-rejected.png](images/state-res-rejected.png) -At `C` we first resolve the power levels, which results in `A`. When we then go +At `F` we first resolve the power levels, which results in `E`. When we then go to resolve the topics against the partially resolved state Bob has ops, and so -the resolved state include the topic change `B`, even though it was initially +the resolved state include the topic change `D`, even though it was initially rejected. diff --git a/proposals/images/state-res-rejected.png b/proposals/images/state-res-rejected.png index 057402d67a28d227948cdd7c31dddfccf9698426..e946f495ee3456b43451aa4ab734bdff66bd6133 100644 GIT binary patch literal 22130 zcmZU*cT`i&7dDy@LT^e7y+i1|ONUTJii#ptTBHV$A~kfRqX^PV0P&TgbfiTQ=}nOu zAW}prp-FG|`1|g+?jLs%7OZp5?7ioinLT?yvrnFznd(zhuu_0PAZkMcT?-Hh+ywl# zlaT;dbW12}fIlRUjrDaw*Z+P>I^Vnmfw)12x>|RG3$_Y_T5azAxYqFZ|E^jN5vJqT z{M|`r!N5pY#$ASnGE(a4rk0gGFk`U)f-tY9xlo@j155E2Q;;++)Y07+rAFmeB#9RzDwVN4UsBU;Rx-_$~V2Vm;UlfTP`%D$KD=E(gYUHv$+qEShwLS=l5qJ{(Dq+FhWLp zGOd#lotEWOE0dPy%WmO06eVCVD-L0T)Pa)Gr&tf9;1k%w=d3)(EWsFt9}-lNx@Mov)A$doN3Jw|gLFy>t$!!5|D(g%?wma+K9vbBMd%nW%>vbm= z2`RSV8~Hz3UR%iK<@_{=+TIx=VDCEHdFWHPb4rm03d6 z%sX`rlUzYMIJF<}u~$x}xH^DP+^E-*q&x@A2G7)3MDK9-x|mWQYDJdgj=)E0uS$`> zj(DXggUN#FgjLVI*kG3K2tFAKrM&8!^Q5`0c6uE1V&xr0Sj2wnAV1JXZw&hh>);^1 zD-}Y+2_guweRYrn0g4bMj7r2xHaOo;_{roO+LY?C(f3C1Uu{W^Z{Z4-) z@Dlb{I#xdBJyI$E$ucR?zK+7pa_ncE^Pq0}-BC<=>`5C&cEYi56aX*Bw_w}*Ro=jW zSrq4Mka(WsQWVL6^tOK{LFqt^lX zzb9yEz*q6O59<(n?OZq&AN3aP1=R>{5fl+S6-3=5rSgFmrOHaalyHm1zhRUOVGW}w zNMB}G1X-0mb%=MAQ+67E97Za$!_IY|y{9TM0tJ0qqyq(B4Y2sAY+t;HQFICAzw42wp3|M?S;xa`+eH(Q=?u1>G8XRgA;+ZS4B{ zs60oxTPvBzGosiJQ7+(KA+^MtEYlwe!Uk_u@v{ZpBSc+~pt;)q@_B`-SxRStcvJk+ zRj_;9;i0x{`FU9QlM?3LXZ&Mz(*EU+a$-(sX0v7dHqp>cUzrVuG4i`X_WPnu`B8ON zT9tBA@t&*=iR##UR~NmEQ`59whA*4{-tWT%G%uBc(;Q*cx}teax9)uG_~H#=D(T2D z%ugDuQ7yLcc)B0{>;9_YiG|`uX!c)Wd9;(+=heD+rY}+{&Zk7yx=U(}+|oxxUFjXu z?7K&r0r?g~^$gn#cEV5Yxr2(eEBiZjC?CTRGE}<1O6#E6d^sKygu%?PAjVb#k|F)6 zGvh}5C`TBjANwhz5jB%EU0d=sQ;qQg#0GXAs?nHs;NPfzNNW^|rv}%8x>6Z-sUq2b zT}O~5b%(IH{5Wa27Q2Iq?Y==;B9G{>x>P|Q;*uBA=A)(Mmwf?s>m_- zhU!{F)ame|=v#La+AE520|}G})vp;}((3TVX~esYTCR1K$uVjJ6d% ziexJlm+foynAp43=AwvZ@493}*0{gWIIfDk_O5SeiNx4e8k-|;Z{NCZ`9t2%BK$&s zFyqY}l~(>hhXaSYV`rD)ot zi7a^SAMsYBR+x9}aiq;^dJFgW4XVbjK(5^=-fR05jnkC@K)7wg`}}(T0o_O&n=RfR zsg0QaTg{P3Ei<8OCF|qC3fc`atBHX1Ex+OPg_`zBlWmpjtMsRKK6&U4k)@UEh=-;e z?L720>RlVx>j%o~K}YKv+e_>D;M9Y4^|htGopZbE7CnYH<0f8`*Dd{T%Y^()kJi;6 z07#*PtydbK$2!V^Sn$%TubA>=g$d7tAsb|psfDUw=tNfyMZod#x?Nf!+v-^7#?l>a zQ(Br6pX3NrBV=IM9 zQ}HRMX{lO8!b_;Wk0YN!clT~ZYCr>~Xr5i_HN>oBL@TTO{3yh8e1RO<)|R9Ecq@>= zTmHJTOwOVX!{B5!p*;PQxbdj@W^QO5-*t-gDEBH-8lvoG0}g|Zi16`N1WL>Jr|E9m z?#W9ekcfYuAdI(s|6v2$lW=~VqP`^77`X^BkiMi*&buqJ?u#6k`yP4pE_0t&O?I%v zEYa#Wd$a=#0YNFV#^vPg!T#`!XpJ0VuenJ}6-l#!Ekh(j%hxbJVJK#WYXZW?V*vYl6~E6=IzM(XFS_|IgEAX5slWJj3%GDm;sGj(ep*>Am? z_(#suUEWxt1mjGtT$3qG(`RAFUTG@KREloxJV(El!}M|v8^Zk=sUPtiRaj=VRiz{B zcE4Psnz5?2e?9}?*Wvk26WK-_@G$Oa|L;;Mf)!BZ^kKcl$BL!IALBC>&dOeYAC-WC;k)^9(%JHs1C*TSU5iZMcLX1*OI)4V)o(&L*lbvQm1hFLCyrZAw zDK3*xtn2cKjwRkP%lT1O=x(4hk-NS!=nW><_IINJ;&Ot59UMmbOv+o&`?Lk)HuCr{ zuo;r`O`Of&hC{k^PMLlFt_vm5j~GaIW;*rt!i!xS+mG3^;HMn$KlSDb&PMi+VF6l{ zbKf_`v5%s9GIQo+@I0$;kGPFG+NCp65HJK$!kHgz?!XIVbainDztfd9C(&00F?q|9 zYGgn8j3b%>$Ak3k<_PA!UqoD_{b&ewIHu&_V}EogFc-T0Fze3>II^)Ln>tZg9+Uez zkpUOwtlIT+eE!pDG9IgkI$@oOfOhPNJh)^x>hdg4_d?s6iTtNFE*9=1CklBctp1!t zq9N?zy-?{?YbT=-BA-Wj+Kx;vFVkejN*S^ zsF9|t1lH$0-Y#Pm&O zqAow#65JSRqvzXGu5(FhCyuPo#buPgGFr2tv`+7}My|egEn}WeWxwjsyU&M^mbaQ!I&X(X0I`T;-=5AKJJQzqPuq0XW!Nwl zsP?+7hBqQt(+Hm?Nk^c21^G{?3wZGR@+e6QJB}A6l#ne5Z7iF#IAyTDyJ+!|^;iS1 zz-)%}!bjYzp>+Us$F`c|ua@21rlU3y4!$~mtVxEV<>LwvtL)mZoev&YPE{^pfjsj! z55XB_{Ar}8-e%QLW02Frvr?fYn9=+ECWW|#`}cQeh5%BmY>FVFX9XODChh}v1gW@sN%^!9@gxK@aw{|mSjmJZ zjg49eTf7WjLN`~E6GS5$H^p~Wvc;>`o0VsNJYzCaCG9P>Ym9f!Vq9r=_1=>9J#e}M zWZ08xK&r;NTnV~PW@kxD7+#2ix-$SyI=*i>9g&LKfpY4#%k6kkh?@^zAYq(<1=Oe< zP&dRIlomDo0!t*%S_AJfxbvh3P_zE}bfSv4mU)*C?}UYBoccOMvA&`jgg$}YP6uo> zYK?-!Pn7Uf{TIUTHB(JUDS%9+Q)&%4sSMa4g8vE%0?|jUa35$sc*a^(!;hJ?{%7F7 zo3Xy_;A`4|#ssZO-R59EaPy1dvtUX49LGuVU+~BLiK;|U%WevGPl_5>ewT>GT%gN9 zj(qboN3u-pu&!X=E1*|`FJv_4031Sr-jU-MX>f$0KN+(O4@zA53=c3PlPMp+0-i_* zCycevc(an5VaRJYSe3#*lCEGWyYUZtT9gnd5)=V0fUs=R^}LUBF6aU<`5%DZ%W2@N zl;*V4ECB(UK}3l?(IFLguDB-^9}KYG8&3oE*7<;3*Zex=__-bod#(8o^^bi3W<1_^ z7!r-d5l*xkczK~57gq#TW0d|GShd!p%}FZ&%Z?xFU;KM9|P8d zfZeeQus3FdY+7Ttt=NK5bVoK#~L%=&X$Uk2;pSq~&_vLGIB! zt&+r%#-(tFz=%pC?W4beM7P>ON<>~R5LUb=;)915mQ6D>UE{gq-AofCI7JTsmB=4$ zul-B5wBm_WGZaylJC1TNsMg&{_*K9aon;=GBw9(#5~aN`IEZEv{?cSHPy@bye(Z61 zezN)7=N%d#sl@u{t8P|KQeiJ|D3QIU$W_!fwj@m<`U;+h%!8dW?!(Aaj_NQkJgA@W z&Ht<`YamL@!m7wUn#)>;jTDvfedu2MmgZ`83bVss;9n0u4rP`-x)It93;vO#r>7p{`1Dhj_4k#q4p` z`rfyn3ig5Zfp)WHnk%n4X{XrHRlvSzv8#jBd+NehR|ayLFvCCvHfq>%!}kD#w$3Dm zMP583UcjDdVj#<1PPTF~k5v&AOcD%}af{8ajHdzzLInAGo9G|vDM$p`PDV-W^&v_2 zjJAB3`m8vb^}2h59mEPr8C3xe@Um$eOH_{k)tlxY{viM>_&Lkka;1y50J24s+gn=k zmPiL(7^Q|@aO!*Bf6&4qT>0$TppBf4)VCp2z3c`~=EmjMN9Z`@NO0h&uTu_dDzK=m zzb_wwuc*Ur%4krE-zG`{(ImbKpFncT<%ci@IPaNysqd#rv8G308RYniSyc&Sf3+cb z>rs7S&lrM-Y|jr-FYxgeZcX{_<)!Yk-Yr!}e7nSBx|%2vu?keZWMl(QTaMzof;l^J`f(#Ws( zJC0#G2%V7mwjVqO)_{!ajuOS2i(8|^%{V6?WiY?fab%8!NRR}Q3l=)UZV-~^6o*nJ z!@X{^kQC5dFtv57u2%0k;nm#l5(R&kif31n9fVbNmfM)94jgZ zSi`cg6FQmg#!{A96MO@<7Q7~tV)2(KjkqhhAcH+g=Yo2dNvy8cagr#Aqcu)lU7Vp4 z-2zrDy=$0{)_}N~DGkLrmKPS9@$M#MM2A9KiAD$jTf*5Q+Zu@CBICz4W39}`>vfU| zTzw3=6Tw?VVUTAFDyxRi1YL{dQuuupqe3}tYS^ZT@$Rd7%|s`HgR73PR8vY6!>+2c zb#XfT9TJkP0V!5+3u$W&e$lcgKMfLbTOn>D?tzm+Ue0qY?Enp-5+fc9WHanRl&x>D zKOXOWWULXd*7{R9%GAu~16f|m$DVE4S_sZizI7H1|1mDuSUKKJ za%>`tL4QXZYg68ILjEyk&E_eECQ5@(D6Re5$!nC^;>}r)txyf_C`>x9OCYlmFMIU6 zfv>GikQPW#8GB9;(Hp_wIwri9ijNMx8%5Fwf21y_8B~M??jbNwgUtny`GO1yvs)pC`Pp-H4#vM@9Mo>2xA_BMbNex_^r>s7vN3o3) zS;ScE3%|IZRdZbtOYmj$L+9S!WB>2enOu*7--ed|lCAQx;aKZW>r{#JP`u;QuiL*@ zzAZlL%{PH6U``t3%ndSi+bxc>I?+3P$DX7N`Q-T)o1B2s!`<2Ql9Q3y*Z!{@SC?y{ zigkm&Pl8IS*Gg}vwXJT_-8o#Z>sOAHn}h%Dr`YIb61dBmIBXsCO4#^+jNNYCj65Vt z64Q}m1vxIEO9bfA^{8S@Q$=J6SWo(luQ!y#Z?28KX5owKk;Ng6*3xuKxUKAk@9XPx z9{A4BAuKYB#Z_RgcFp!f2#w}uq6WfsI?yN~=z+G*EE;W-as$CM#2c0qF zdH2JZ)V~#nlDkAJgL5GqNuNUKje?q|idBcNmktbO^)42t@1^)f_E`8K7K{F|dP+1W zuq2jwqOFGjUvwZ_j-u|NBh2INAXc|?&gjjBGQXnTNjuPiT}9D1hp!k?(RJmU!}V6s z0DGb>j!=!c>GOQv`qfdT<#mbuot635f3=gmU~^5(Bh~D!l zul5hpS4tjjsHhqZR-d4}Y|FnqN6u$c_Pe%AmS^w{UQ!RelC^N(J4gIlv453OF;x(s zRg=q2tuv6cV1%---A^6W-F)(-d^}|M*_F@t_J=+`_8f)TUYU`I(QP zB>OIAh{9-ErN@@8QcOJ8%jAoUg1>Qf>#jGIk@vsbS1u3sbIWNjT~gs1J9XkYaDICG zL&%P}nZ8`2@GtfTuTlA&(yS*wIv(DgnX~UzSFhsLGG#yhO7kAH5Fgcqpc_LySP@OW z`ceLPn(7H^Nqrg+#@P0O&ROZGgVyM&dH<|~EZud4DQK#crUm9^(Gk<}X-TmQ>=7AB zSet3ny28D?y5yG=3Bqbb-QlJE)LsO#d|u3q|`pVGe!S_Q5nrJj`X@ChruQOLxIp5+><-G@H)R2}53x&T`bwl;;1}&r zR(uUUvD=m}KIs=lLFXV6IhJNZgbYRedS?Ac6~Uo6mFlQ=Lhp z&nSdS0_tBO6fV7IS5DWdy^y_J?_j0o{^ndW2UUY8#scRL7U+2z z8@5(i_pp_>Sdq!nSe*GhnT{H<{4}H;^XZ3}*o{_4P-|V(BO-|}oVU+0VzhT2v!NB( zDknom<(yf&a-MGUJHSd&;`m=NLnDo5#(|oc;X~}SL4xwPDs}Vh7jj=kD+{IJT_1Y5 zyy9J9pF4l3CdQh^&au^S)Ifffp&w$TS;)eYx8|m);a=J1c}%M&4MfVV9jetz@tG=s z2VdZ_PJ+G6kkush%c1RdiS2|*>Aj}n&W zDl;W~WP7ThI_NRpv8fTb_;hXW)hDSuSP-~10B^MRjdH*d&WRMI0H09A*?y$P+~@}- zV1j#oz#Es19L_VeSr8ofD@d)~vUO!i$xKDR+%wu;$KjPBB)ecK=z=*TZdsV2N3nWF zgC!n}&R^!xO`{MujQdMss;$+`W{%zWLO#m${TDV6-qRZSD^OBT+3A4)#x?WFQ1NLH zHt}{)tAQ!uCr(PcH?p=J)ixM7^&G*Z;{n&QJ!H2d8|}iVXEWk^;m=Q0`zwFRP+??n z2ly@k2jV{o-&kyKH#a;;4s6PVQPpuXzNz|=5|7&$#b<6{1QhIiZ^S?%_eE zm5Qg*Tx@RnYQRV=ER5N=kgsv2l1NSL3CO)vWM!~)4|pERc|z%2nUGyR`bTGa)VFVDvz303Vzs%G ztfr=8!(I}>=2@#bztcEvaD;FISue4!4AH<{eM9ZPmTDQ?vRd~0NTXXeo%})EH}57O zFCjmvxlV&!rU|$9k%c8yWpW!{_Y#^box>x*{Hme~lJ-rYX0LAgn9$(+6<8(FFmu`*MYMe}q`3SW)u5SUbzrka;CBTi&>yq+m{aH=O;A@O{hNmxh!Np&6?A&+TZ_ZKsEdHxn3Kead0y z_?wGrv$05&(YC+|vs`6&30;wga4hKz<@Z ztgh&Fj2}-jE^)UrKk!zrUjNbF!fcK-|FhfY9}=Mf7)2bEXaA<3*}wx9_xesm+!P7F z)Mn77@$lqacpI#sVihP8_nW{}+DM8Ss2eYXV-9X99x(dr0CAC&?#2C?Ss3f3U0 z{VJ0TlLu1nkIGao5&y_G(VUWn+B$Oa#0mD-7RHJRU`b8aXF$x133XNgaY0RqgF*lz zq)M?EqV%GRqeHtw1-0Wc`){@9rP0AB;K{khS~@sJW2Ig<=`8R`uuaSrB9Y zlR{iXBOdEGiQWOfi!uf*mLsX0v`Ap1r2=@-2?l3{vfH=Epe>I8GtYpYoz2jr{?+g# z*z>-rssprFMVh>=Nbf|)Wjy4trt7Jq&aJ^RM_GR2U;^yylCH>BKLQnz|I?5?yp3JJ z25AG6Ua@lWTOR?t1!iqLHZsDH0VQ#;EtepR2+DIF@OQ(!ygL%Tss2FQe%HH6Z=hfVhO?0Xu-30d4Mj zR5!So8d!r|4@C0*O5J#{Dx1xQxC2X^a!V+slCQZsWWXy$j)*uY@3M|FX?`_oz4@A) zK-WJ^A)b=yEmI1W;>87Eo%`9@{w>efAa-ICy>`_t;6yN~`ertma)LnDFku(bfR=x5 zIOl}JU~T$4Bpdk=A3x+;hrCV%R$=cflM+~oNr^(ZsRnCoaAP65sB{{whuy@6I8eT) zp?;ij`Y|4iiIT=1!3&)4;A^l-_B)o?ZnSDtZfxPiC2=bg4%sh84F`P6+Rq}=;~(P| zu(wX|U2?oc=YOJd(&!3fR{G z1)p_Per9e!xAVI|E(j2r?>cV+vcR}7RI0k4PoOEl#mJUI-%5v@<<(Tc6IFR|bg0cw zh50sx@s9klF7!`Og1kA$T%_523^8W)tD%N+z1i(7xb7G4#-vh+Q8AZg$Me8`cQ=j+ zub#!;dZSQ#(B+N;U($dv*|8~#gQ>w4_V)AbBO~#j@}ztM9b7I0OQMb3!gznUpk!&I zb**A6Bfe6|viP6nGzUgr=fE&O|4#cl{U$xzII{~!8&8|aLKD8opjI6iszlXZ(Wb6a z0qL9TVp)HKY)a0HNpLh5q_4ra_^HE6NNIFPL-F54WK)Ia%S)=wP+>kAnl^S4V zKHIMmciZ-Zjv=DL9WEp0@CY%6X;8YLRbl&09By?(mI_1KD*B4!6H>}lkA}Btaq?gR z{&siW$mY0~wcjG~cRR}qz#cQ7Xq;;9SxU&)o6+%ZWbYLk=@858(J#(w-|dC-xg3t& zoWAsFf(n0*f!l3kV>j}lV!9LyNI#Reac*QyJ0~d{vNy;a?=Q}B*;Ao*{2r$GX`32U zeoTRQLl<9~gd@~|J?)l)rH4tg-llbv>pP7p2j&gV4@An1{JrAXTKtj0ds7UJbOjS| zWR^Mr%F@D24e#|W5aHTyPGL;04EI3qiDk7EfODYFK%g%D5E|Rh&9$a|iyzx5>d3Y_ zS4@{ngO|h(4E%U9$@lLe4?qlsgERVkk?ab5<8E6;H96_az3Z6>NS5_$y9 zF=Lg$Z~|J3KE1Z^&~<%z!ui-`0$f1uslDg^z2Eig4lR4C%5}zvOv{OExiNm5orV5Y zkAY9reC)NE>+DX&g8yB!k&c1mj}rJ$l=aE91m1rO#18 z=yv&2AbNyD6tSeKMKJ4|e7j%nC-=@k*9eKjro|*d>aFx|kHg;uwmemg z%755?4kW^@FFPzYxd5v+OtfeJ>}a#7<;4|7RrIHJHwCr?>_DbzydP{6{+)xW{t#^v zAueSVcJ^@qiUX3IJe~%Ee?e$pdhRdFpymObti5(TV7G6}<;mqG>X?uAkeXffAlB#{ zl;^Ori-;BE>Q5UI&0pq|3>@J)Nl_2Z1@6B@lz)q z;VOROX={4aBSvcqKC<%?PrgS{di}X&i?bvrd}k(0{H0p)tUlTvLTO%^S>*}lgwjw5+K%;uxQMcO++MS`Zs){ol6qsrc;g)>K|#{3aX_1! zZRAXK^vo4;Nx>V(B`<&hWe^T$Q{t0=l&Z^_~=}wU%oZptY`&P>4tK< z68@TJY?NVH0(xwO6sE!$qU@oHLI4oFVKf1|9IIB3_v#tjj@BP-{)tmK4V$t*2hCN4 zm<9Ao4mjh9@k9N$yCK32F_6K#Bm}bV+Gc;GAr*!kl@k@J@=wTLZP~g&Bhe-ryqCbn z5U7v4FIi#rcCaXl$!w_6y`48sjdGw1d;(6=dIzx)ZEeDj0@K4$4or|i8Tvf&iRCl0 zvvJQps-W29h$=9-qVPl*`6{5O^Ln@S-DF*ZW=XbZ!qs<48}(9jd;=6qs<~;DVwE zYefy?R8+Bk_W-QFb^IIbM{kz38O|!|J5NI>utard=tq#v`V@RcSDuuEQLT#m@g_<4 z8yDpnXBL)1t2Jn#@jQKLr3QO7hxOHm`yC`5NuQ~T5VBb9G)D2Ov;K?OG!u+HQH1U> zW56q4(vsM3p;}*uFXPSCa25C>YVo)Ur?XOr6$QDTQ;;nOVs5?T)DpW$IY zRm=UDiGtoGIl}G%(JY57F_g_muXekQaH?Y-PfdE!*j#q65Xul3`$S*jx-a&oga+X; zYUtDKi)6>Uw8t)}F<>fIy$&i#y9~(cXrX(Gv-fQD@QZ1Td?y2* zrYTsyr%HujjQ<5pS$O^g*2k>xQhzX++4$jHmF~>TZy$oqPYt==3Mpc$nHrvsd?-K7 zwj_LI)I3G)joY8&Gf6x*bF=D&{C1IiO%fY#@#OVMHIRy_yeOhJeQ4G@kat!Pli^RX zZ&Iv8L7dHo$h_aFk4F?R-0sHq_Y1}{Y<1eli`i&862CoxE}p7z5%h|SMx|0#eYv15 zz)B%8Q%anJ4}4viA8RkIypqqU;wQA=U1R?l$`I6yOG!m%QIshpS;A?y!;wru zfz&R-kYhuXN0!Qv6j0RhCdT;5&6&y)9Jf0r)F$=FejZ2{AL7&_Y`yCKWvP&5(>?0y zAf#bl3W3<1?bUY*9HfKFlkI*M+4RuZq&lbd%^svCZobokjlueb;OFQnk0GSPjol!N z2Gc)R4?uvuosKfiz@gpe!?G*3c1dB=Qm52;AQ$WW4u-A$oou z{Y~{~8Gj)MW6~`&JuBm=FV-n#h(fUd980)J0ag4&#zoMV)<{4C86ZK?DXJG+qlu+f z9eD_3o!ChKiCL99V;{IT&VHhtZx(Ty5)aMz!0utGca65cjK7#vX418dw239*_M!9- z4f?2@3`5*QZR1DD#PtdvYfT=G)S+Kt)0(=Q@;yg+wtmfxG z?nH;yHy_KT#P_LD5kgBV3;;_OPQq9&yX4ucTV;W&x`y=usTVy9P{Q1}ML7VEH>V7? z7(I>NcK0`KNeE(^eWP$Jn^K9rgxa7FV<(-oCP(@l929oxq~w|5})K4g0GS0KT+riLXxla3&QI!?&u6?j0`1V+j1d#k-UYw_y_2e}>Y zIKghmwBO~-xDAXfTbm7yCoxSm!3(#J?X(6W0fgnxQOL11QkV#U388MCar%r$>c5Z{ z-@Z_{8*BzF2$|O7(3WL1%TSC1@PKeUM3N{7QuCuNj&1$bT>d-DZbvx|!giOryzv`v z-~oZHxLXc&)r;ad85Hx~x`-a62=0^JTlturVnF@E&v0bt;T90n5J-+2HYUAbw-e@P zMVrEPj4kxU66bykTS3^+B8~LN5LCm9x@oDrn=Lg~?tSsuje#RM;hMz8eNrI&O$9lbY)r=!xt3G^}xFr$QmXlTi5XFEC4{Oma62`TI*Ve|1FaFQ%S^Q1U@=x!9yG#Yi+FFZ+Hm`nxpTNkM3EpUvOD0{f z$rr_7kEn&0Z$}p>32z1_U4SSB$T@0CD}DY=-$fW zuR^_>G|W;dm0!YPIJVLXIE1oH;ak5R{OPLKLfz-vz@&d)9xLrp?WlmUDHovuAtfAI^|sH6dIWmsFD zw~jl9Au4R3ThzGN=Kpf_n=cO$UUiaESbGh$#8liO%Sz&!bWZPB;F>vBY{FVWPayj&P5Y_XRf#*{G<9&rXgR!&>-&g{d*lU)877 z7>ZJLf4X^b9{ljtL4?42sv7ezZmBwGAJ95aLdKmEm|Ra4NvBy1>`!{n1UCvE!h~^} zyec~mkJ>heuugV9N{86#oWZ5bwA|PR|7+kB?w9YX7MLfQ{&Lk!@c=A#7%4kg&hpAS z(t%fMF=u-`;`WM}4nV4-3$Eu4tX$|KJJYtRyyQb(PnRK@!D_=^UA0JEW+4mBHeJ~c zC6>t&Eu*I;*EW|KeqMToTJIt?5^E`xuhf^^!bfsGT%Dgp!e91imrpXCj5)*Bq==fD zI5PHGQs?I3*DAIBe&-d3PYJu2dX=M(Bi-q)29GWeGcBIC)M+TPZm8!W~(f6C16J31oh4rqekA~ zIa61O!3isB*{V!+>&%BCLJl$(HuI%!ZUvD`l7W}*lg-&Lz5GQfI_&ih)buaSLz78n zGwahA_3QL8JBr8c;m`{DWQN5syg;L(ZBJZM|e!#k6!~AtH zdS>%p6Jr|>EMDa;dDjtnPCXQn* zS8t%o!>&k%?Xnqh21}cBx?8psDD&|9hI{$yuMDsJF*CP8iBuymIwR{47^*6=Gxd6Y z2uqKB`9X$jlWH^WIZ|jPJfme!9m$ZZ#j(bR)q&gK9rx>eU;{EN&!{+8(?c^k!aAZ= zn%|h~A5-m$olav?&RpakzMH;lf5iQ6D;snTzDk|@-JSVN=~cPb+f-8( zSC~_?@KJfc=dT~ZR6Or~(;&vM{EbKrHZ=$>IEarvdm=m@qMvckfwT(`vPbw_M z&TW$5egE1lKyms`s?*XmN?dKRKDxg?yP1uz&JWCOQ1fwJMy;4*k1cvd;Z27U+4X1~{h5*T=Lc4f;Xg-Mle3J4pJLhjl;61> zL=UNM;+i_n{z68Huk`L`UNQv>6*>u1@d=-Sgvw0SEKtXoPnOrH$M;@!VMEcX<0%1@ zGRJb0RWnGk5TJ%%bjYS0pADYo)kvC@VadIfjp_ZY0Tyyf8mGTAm5Mn1~tb6Qcd9fd2d=%JTk@AUgL4k1|`9a|TG3SP=$@(yubK zBa5yjQkfwb;2^lZ5X+7~=9S(!B>1M8F;@Iu}J$|xKqDY?h>^;+sVN-WGYH_S; zh9QpUsVCy&Ok{VNqhIzNKmww(t9+V^%H;`BZ(s*+>W9?0DCR zCAS=~9x%VFvK(%i+uU@z`Q17>f(5x*}ep3328A&c2;%?byHplf47OF#2 z>dsGR+SK7g&mj`E@4F(ZoG3DFl%Jzl+)2cjsKPpv4v(|;;5{S$lT)jTH*yb(dGjqL z8Js2>R29dTWU9Vzy-g814=u1<&FfmVa(@yTuRU%M{y@1P#bRZ_NKsIZMb7$><_Q(` zDJRN|&n6}7QP9fI{T~ZS`>#7EQ_qSjj%dH=W;F>sE+z@zgX(d zLM<4Zb3dz?Jd2u1+Y037*+eoNX}1|_*v5n|BnEOAyd-rkJ(7wma&w!dJW;2xM8VfR zD*Rx!Z;#chRSVEl#Y>L}8jWS;SyooYWfa0kXj(lF&~;LwD(gU`v*M=ukK%6L^$WU4 z!hDtQ=x(3m2aht+$N%2+^gXzN9}!qp0@biwz;YkV4G2CXBt&~frfscVYo2pNWwq&S z@=Rwvw3mq6fFC}i)q3k=hd7tMWXY8%B3WFkd!m(m)m?VrBS#0_xMoswI|eZ`Wz;j{wB}N(0P4+X+O~OOT-~lUyM1*9yu_BR8wC~V)P#VtIQ^jF(#P9^IZRn( zXCi-Zr5_xMYmSA!{rCbYYWA=_)xenRzDGow$#Kn^&4ugV(!l?UZZVnz+urL@wy93~ z-s6G?t_$y??90CHfzEDd7`Ywvb32Qixo_bNA_)TZMg9{IUq-*DX?4s;AP^JnzwZS& zg$>^CghH#Cm!JL3(7!0!nj1ZQYI-0CQ6}iJDgQc;NcxeJj#DuTU;K$|Z2WY+Lu)RG zmdzNM&m39&pksPjgEd(-XAAG+`a7Lf)F5$ zUH4r}v=v2a*Tan*jo|_eH!~GK$ozr?wL3o;>vR zWG?0K`K~Qo(VS76ub+V^QO5S&dD!{c!~Z_L8u`fD(_vGa~d4er2^xGUTUbfde!JH5T; zSi8_7>6uj7v$vE2+KS2PEXK@~w*|RQi`FgvKMci) z(=&vIF#=<8#^W*fY1`P-wJKvG1#NbUFZP@xw|4uUD^H6b_Q~sQB-K8Au$uQML)ew1 z{@oI37-&1LiSLxnr)#P9Zur`_mt*Zf=^W!psNC{W8__d&LlXJFy%iE$;AHZh&-Uak zyf3G?lQe=(m8hxdWR(9;MIQAt0HlTgr-&;LhqC?tn4)Z1i^*;VSt86>24$NuN|r2{ z5W;AfY$3)P*)lSN>{&+PMY3ecHt*ZWzKo?oXp*Ju$}W88{r-Nx>vvtxKj(hVInQ&S z`&{>P-RFEh4_0HQT%o67WHjh<>F4mfRS)$$ZeFTzZ5MwcQ(G16Xt=Ty5wKhUCU281s&5}dMWnf}7+@ksU z>u1XfMvp{w4_d#xY+6J{{^85Vp76`9^V%tJ8xQgZ+ii)d4F|)@lJ?42H3*`enWLXj z!(u)fiw9o{2+eB_@~2||vy}cvcIUp>_pZR z5#w4Z+wy8G>0$)B=*C!PSiT0+2B1AUqPu(Xm<826QffXSiIPYtJ*+t(a#X;J;m*_x=|5hUyF>VG-HNc8GLFc z+}TY*ZA623{IoNgg(hkD-P~$w{@d^ibx}OVN7hRwD@yOTsrvEYD=t9_RS&>t+_A=q*6?H?EOcMS_nEPtqUAF&uyVS;FH4j^RGcp*)+F3U>&c~KxM&&IbRv9lkKnj;P}b3&2ZeHloO^qt0K$L~#;>QM{|h6`S^e!V>0iAu zsAm1w421y-Tl*nKqfV;TSvw-@1y;6MlAswh*-(xpBIPYNRm<>L zW3S19*0o#GcQ&wKkPn<2reGoBBqj3VqEKexF*bS8Lt;~@cK6R^3;Dv(Ip2ASI)SRw zSjLeywSzhPMoUW-k#H4QR2A#0&OW?xW950GEbS|+*{Sw0i+gZm*tO);)u#@lu+)#1 zIYF80cvX=14PiOGFC80<58mYh)U8m-u<(+Jwq}x z+!nB6-eV89h7UYy_k{67XX*ieLf!P6V}W{mN^)zb0iJ}TVC$DPUsN!iE^^crkNUk? z`!Pg=h{ZJhLh8{k|M`aYVCtz#@?o)Hh}fy{PvU`GSzGBn(H)b*ItF*4ZC^ND0qa>4 zshTXWCe#Vn)rU6D#{c*mx*07TU5jpw(i{5jxoa!8-m5Y)Xf2@7ct+`LKPXpQ39=gB zfO+yUGnbGkoAn8jlN2F0G=rDB`vjn>Atqo|7TZ%u-n=}Fo=#>-y{^A6y39oq5_XPE zXIBJzw+ z81)QJ))WJ$q)6FZw@}_+$)`N|{8hAA3sl`%NNXd5ZjF*~VA1)}XV{%La?u1%+TDf^ zbr$`|*5q7UYdj0~K5kKdQ7oKend7+~CZKvC60J?bcYmAz+OEUi-)W^KeDL!*t0CK= zKhu=t>$Bj-c3E2|PDy7Y)SIWr)J%auxA@}13A3_qy5IWJ-0H3h?U+T*Gru>lTwNKe zzG1p5nI8DZQlQ0kJI|?1OgB*VkdmpAI81sWhzIi+SL6_WkKpw?&4jAE)TiTZn+Xpk1-`q|zKR!^xLOwD z7_U7nYXJy3=RT@}L4*mkYb=w4WLq-&D%=ET0z5${e9Qgb9(D!W`cCn%qJ}1zm1|2H zR}U)rpZZtKCx-d`i=&le{yl|**MQ@Qq(`l%UoHwXXO39mP6IV)x!aUbi52ORVSKNT2$zv8%sW7^$yhs=pHf=8_{9X(>8x!*=R-HXY8&M zNsVODlAKO+i<~}R6=;k+_mZUFCsM1njV>D%4%NN#-hfl$3t|1K2Y|ZbNvRR6qA4Y0 zJafDJRdxF#YH2Ei6C)yRX(+VO7kgJ2(GXn;h7~4UxVq>nLxH<+=EJ)8SN3m}Hd2O3a_1xvzNRU1J{-pL^X^g;Ef5x$K|GU-cVPLvLfX!fyn0VaZa&cZlzKTGs z&yDjHUBw&TAdHYS!Qgpm1}a9o{J@Qkjl*@xsp15oV%4uw8&j|rmYw=L^v2+6r4iOg z%j)sX2OD-I^dtOf2i5b^GGy#jqFx#JvOSsf+r(4zfZr=9)yB7i@N^=<1B5O6hTZCd)~aQ2 zM_$dGj>{>ko5S~sUddrD^W)U_Xm{xr(L9I$aY(?beC#gRQz0(7mryc~9*i|B!c8M; zPV?fZ{Bfko*>huq#k7Oj3(~Of-R`3H&l=BX!@f|R0~98A>w#5(&Vh%P_Xh0H>;2a- zh-OY1FVu@E2k|kxZDVX*!RcvPKDSIoQ&RZb@v;FWX&7l>kKtM|u5>a31>V-@@)oi` zOE}UFO=bJ^*2kD#HnfTK!9T-|;~>BT&ZR!cS}R?R|54-=58TE?hDq->LLS?;Z_x?> zS9b&3nEwD@yM(q<_FRO<-LBW~4BESi+CE}!H(wGqQ}6p}-Y{d_>mi4+`}kA)MzTVQ z=7B2JXzfa7S-3tFXZ3i^W9&A`t2lZcH6}*-o-=V|qyC9=Oy#L+)@o?6A=gk5LgS?XhiOEi*x{GvLBCx%+BLs|TuD@z2@cnZ$^^~A^#rO4mYV{*XB~C8YfvYcm78w4 z{5B|9=u)euLZRscNtoDJ1JBV6=wYU#iK24Qp42G2L;58% zZ~##Eg6Eg0p(W!q>x%;vnbo&|dmPkk@|_GDrGUhU7)P{s6(yibOF5@R)t<7u2VG}5 zG4NK=)l<$fog-0x&H2-18agsp0&ZE^%)ncR>v_z~yLjBk?fB}N0!E4DuOPgy|6s|2 zlpvxdB^m3r;1__>M!trm3AH+bK2LnwUI@uod`~hx1M>^^?|&j(H50N z-kw(^j#V`B?HPV%iI+uNZYhFp$27%g+QNzKJ_5edRPbEvyrO&xn4(*|^5bAt1t||w zkREqYv7DS>4ZEU|1loC#LBL}{z5qYXMFg?V#LDKb@MPAmbcza!t>1J|3Tfl+?)E^7 zxWCsfe%c1kNN1>j1G#!c@DKKbGx9PB3**#Ze`UyV3g=x$5HTNnyMH}oeaQvaY#1HdP-Z{+wB2r#JL3*X{ zC&eDkAaH;g)&{kzwfn4q`=xaYHg_;Uq`anr^m8xJI~GQRipuE_6S-XpcRpyy&j5z2k-q%4z2OEfakxnUc_I1`Sq8X)%PbkeP<;e}qXufbR zW!XdEE60OlOs+*pvdqhqSr&DEQ5e)tul-CV+bh5no5V*Qx(4|HnVR8+B$}21GYEzW zxW}cuG4o1{g7XSRVw~1xTikkLOJ}D)cD{Iw3kbo0yOiH8WVq#uKw>A!?5?Z*=fatMRaB0- zA~(J=8lPO`j-%A-^LN=DIKu$@Qq&Vu;uzDRm2ilJ@A(?<$=jT^G~S!pYGo(6WEody z7@+B;5a>%Z#K`B9uTE#HhE1{UM!QYoqMG3D>le@iT&A%x|U!t@% z$tFyGLD8A%*bpiRY3#3aZS)~?go&cr#mN)04Tav2nAMCV0;fT9PS!AA-A?iT4>_EQ z(l3#b=En<}Ae$bkVuLMSSNrN$N)qxQjk!uQBCwZ-j-#xuVtVT`E3zk6KEoA@xcl(Z zNT8>5g8K)%s0(1Uu$;Jrhj-UA}wY5_#bLLG)o2UUl;!Mjbz9207cq%QA`<3Aew z%!iM-{I@{y>M3_|S|X?%^p?%(40kWL)dL?kC{tezBegRA;d6bkb8S+e*bm6?BiM|a^f(`Wx&gC&3-(iA0jicws2ZuD{>x`p6L4|Bj* zDt`$;3|(J z=UESyugJj~_N=r#ec~9xFyRRPoET8QxB29nn!skeX$ql7t0c$w&6`k-IJr;z_k(!o zE>bu7RkF&$!lWRUOGEAs81{0w$e8tp_8@zCWBv*j z?ZX-C`Y*8c(8TW@>>K=_36wWCe~%G!3mos>SkgNk1ujiC$aqT-U7!Ar!YO(aXROn; znooJNSv9F&g7USvBU~v3)kJ3j94rrZ+~`*RY!h!6En3&Oi6u^oQc&PVu4sw#C+2Fv zb4JLChmVA)HQzZV_1PCk$?&9RMS0|M=K?uxem7E)=t6n?7YKm#j+k?6N|czV>rVA*TXAMju6gNrc+q%g*nM)@(Q7{=1ck8Ys3n z=7@rNtX$2fDpw_lCCmF~sJN}XRS8H#?0$Qu8yf*+LqkW~(vulOzmTrgvzg@zbZ9gKH zCS*_6k-Oyf!VQpC;&_&;lH5X$=JlU}X*p$R5`&L0#FU$ORT5VsLj(zqXu78D!d*Y^ zsygc(EOA14mkJ#XIo)!j`l7b7i$KU77m%;EuZACS7e#L&*W3uet8xNTSli9=pu^nL z9C?XrZ%gz7%$!2&ViF7ymzdcA_o5=16ryoa<3@t+_pZOCp1H;B!4ePPh?=B?*Re5h zb{#D1D_xM1xcNev9dCADfonhd+1~J-qM-n_%JEw~xq^Zmt>y!aZT5EQMkP{u zrjMA|`05O!x}snS`T^k0{isMgt3<6bWVi-<*6n`!8>*ItS!LLxGx>l?FN)%Z&0Jn1 wI?;Uqop9`45zVGhkOo2$|NmM`J_WRkINAU6iB!$_i7XS+__ono1Lvpz0l=s8H2?qr literal 7596 zcmZ8`2T)T@)HWf6-g`$nD8%HK>X+ziID-n3H+v$k3w=J(3^sGGGc+5!L$ta%hW@}|9XzAPN zU=0gRC;0}>Bb(~$d+O`zxBKfZqckhd!#+1Ttv;#WE|1t(KYtPQo*j+=WByMgrz%-> zX9|rVA|?J9ml1n5`)lq+1Q|g0B)^5#rexz%rjp5qPJ-+{@BrF0f8O;CQNw7zv8uzpx`~zy?JL=k`fCdu{jMLzn)wT4u(Kh-vzvG3ei$>>NDR78~Zu^NKn& z(d2jEp56Pa+Cns#=4*R;{zZA?bf+tJK6X&Qg~QTBCDtVFF`AuGd8DB2H@m5T^#y5A zhX)7esU+mMRc_;{>c)XEdIxs|jlG-$jlV`H07RfetY{B?F-#sgR;edOk!y3YY9n;N z9)}g@z1J7dxvLsnvG(cU)gt}ZA|s8#xo0HIawpsRUlqB|SCYUJ-fShZ^3S3Q|3BKb5j>aVI*qCsV1G z3G{-+V;!IZ%3QJQqUE+VKYWRDt3t!AQ6GawoRZyqz`0HHIS5H&CsQ7iSM8kU95kR# zKqshEfFaWW$Dr6x^BN!_v=zWM-S_xY(}{Q*)P-look+=@%G>=jMcDSngDSYa@yPO_iO8w-Z(I!a`{;8N48?M& zkAr#n9RC@$9rI>fOv~yH-Wl$i}hMwxl3q>4HY=Jrs4YW9`J(T)MOp@o=YybWEAJF<3Lk#k9L_lY=-FoC7LVv(F1&=;_5 zaZopiZY!#l^3xYLsd^V_q76)BbsG%hy!P-?9*ulZ3~`quT~Jk7A?sx;S(y`Ln);4r z!d*PZkKg?)Cp<;FOTJsG5(<^A{r%*cDj+7foC{S-GwJEvv`JV>sr1c+a8A8w_6J*f zR4IxYdaGnfSS1uPQpaPPTCUytODnjS9aWk*{7j~ldY5iDKEcf{I7(sr1+O0Qv0R3q zy}yE8T&=!mC@enfYj&+Gn6dazY(yNaIjo5rMf|7gK%wvrtB`#g@;e1y{5YAu_!31^ zV*5n9wS%qnf>t1>n*Ahjf8`E$S%7qUDL5lQ$=4#GrFP=kbv9@Sfa=BOebPV52hA z!)z@^o-`Y{AdVi_7Y_kQ6KO*4*8|q-?sJF`iB{umL<8mCQYz7gec-UXy@yVYJ*bk; zlxlzd*RTCAPQn=Ym&%r@Cp-OgG8VqI@8oA(ORalG$t*-E;f|q8ED&JUr5H13w6Z-^q2 z-eiLNT9pF}!^mtgroxL=m36^HnmS&=9>5#@s0<~OpjN6t>ph*Fl9}*6RcclKhZQvF z46#^TakvY$-GF191q+Y$c=BF6GIW*1RO|0HW|k>JuxsNUwm_Z=SgX*k)k`Wa_^$qW zxQE&ylU&RSyRDSJ1;+RC z@6wk1nWT2iA-zR)J=HI^`;BIOZ0=DK(M_^NVq^~^s1QvzCDA|?w)r&ydBB%B!8fko z4UCmFTjD%8n#r>j(~|cwh8fszFkpPU6d7lef$Ew?_w(O1aPqT96{yp6*FLE-KJaQ? zioP_GJ=OhacJ+l6fBKhMjvlh!pSo^q?8Z5WW$Nv9amG)$j_?{syXXHnn|Z)l z%eS3jnZ3Ag^n>-#v7NmGR^x3Ya>41zCF6H0dg5C%8kM=E_-q)h&LLJ^&XIZCsSfe` z_6<`N`&lzvl5Um@7p*sGcG1!9IyxbmmtiV+sylcHlG9Z|&c-ZLd9{AO<5(>tHmk)p zGmwx~Ak{UO;Vhd!+^hM)K2?S@ZrD@yZII7l!wsZtEQM38-X;_(UT6yS`<<=jZqFe+ zYouvKIiOWh|5E;qeeAn>i?ZqAb9j_oPqg;LuWKBy#EscnU@~le0`@G#Cz!XSN7SFh zzAB_s7#rj>pt0S;)tY|8ULrVGb^TmR@Ru}D6V|z|Srrwhl{4iiwy`P zm7N;95MGxIqLHCfOME7;y+bmD+y!iP$}tO{U9q%2Urj_ERVmZhWGaw1u&SE>+-x3k zNDI~HO^Y7VWP97hd~v(OcT+0wM`y)~8;ZWb^T4chchIeduMQ+={=l+5Z^ZLdnAiRd zXMsK&XNOZJC;obq>MynWt1CX}1Z%Q&^D?d5%yszo5(d|CO0MWnvI-Nw(o7$Fv12Z3 zm7@IGWypc2fbP(;{YTK)8?mJ@n{C;3h4qz@QJ6nRRMd(&+69Z40$tHR)jWLMPCK2* zx}jZW)^nwhud{BLd+_@KG9v9_yl(hz`-3^r`rnA4>|}FRhY>gi3HezZGO7 ztu0!6-)XGtXa-1ZzUDeFn6K|s#;vcL@R?66eY4+xZIB{^_O^GaV7z{g$iMnFxFG_a$Ot zN*-#tad)Ve9~fH9S&UB1mm7I$4q}a^3VaW0Mx3rLTBqnfr)AyR(K2^>4y#O?7pl=^ zU~a9A)(Ag9+%AfEc=}{NIKm?MdS&wbK1+Q)&0X^V3e*tq!d3<2$X& zt5lJcHS@(f(eHO8m0Hch2B#|~xw^_gpp~qLU+jy_D(qw^LMlIh>)7P5U9-WfdNNmN zXvF0Yv&q~KeX#e6yQJ1F;-G1_rZz;=>W+wD(C=Kr`qx_jR65-uCH~&pchdg6y*(K*e=EtzGu3)hwCV^m^bwMzap%V zz=FFx;#IlRzzp5$qS1QuY5`?VlY4O06N&Y}XwAzHG4ZVAGu$bh`+r%ax`2}OD`~7O z(pq0MUMUu+(05y`P&g#bk(we8BH@l=o5$3%{407gEENg6>yN4!rrm?PI?9ucL0;$6 z|5CbNChelPC7?VBn!*K}MEEV~B3r*7Tv*NW@21Ro6jtu`uZl)Wy?JWh!8#W^v!$F; zC(ozN>+y(K^k>+O*z9m9zjUiKY(71wDR5+kaoA}2z9~S&%<0dTk;k!l>KSd#u+!XS zmA5Q2NPQK;0i67pql&jJc$4Qv-^%S^O&L*zI}?ujYQt}5{;Dly-^oSfi=1Hu-Fs)e zLVIWjgzubnT~E$ct>VywIZu*PTZs`vBds=eUi28-r!u!gd+z7h_exiZ=%LEE300+amJel#GRi} zCIZWhJRYtOw=zRcOMkkHjjXYL>3PT~RUe_e8@qdXhhpHp6IJf30?+YVRQ3kN`?C=d zblR$%&LKz#MAVzbf?u(Gx7xn?J%t%sK0v_s&K=jI{QGX2i;l`{S zDWQOhEN&Z(`+H>le17>IfVY|DynGn9RCDYdAJ8$$AMVc~t5QV@`JF%H+cQI?KAS9g z8`rSMPBV@}j8xbxzw^AOBjbfxw)o^kO_|b)-0{sg9+QMrx6cflrq!>oKO=^&YK07t zKR+;5;7D}XuYe7AJe-bTH@KHN)4Q6!Ticeyqd{dLZE^x8s`;mzWqf%9aAWXW2^Gkm zLNRfC+5B6(LW#TbGP`UHiap>e+Fk zm`Weh;1RdB!uaEw=`@F_M_MZ}={bjdTJT5>OFm;=K<7Wm)FF6&(R3|}8g^vx1exi= zap)uG`ev|m0;RmbBmC_}asr&z@LERRxvXydrx^J)__Tzr+DeHJoi=P$zGpUqvH|oZ zDbOz8ajO||ryf}iW@;60)HyPISg8hag3Aobkd`D!3#MKaC#$WWQCPomHin8E{mJHd zq@3#O$Jc0w%G}cOxmktQM)XWA{V2drn~kCm>tq0XPETplFd3?Oqh_LQUd^Q?5;Dvs z$O-K~&A~{(_*c)F&S+SWBE2Q9kXn(yW;T%#?}RY^A^*!)Cgh`8d&%}9RyRBb7*VCIC1I~?29xI+{+#EDS0o#+QzIG^VVc5Zf4P?7;JQ2pGP1$o z9FkpnrhUJ_T!U2LAoDaO{9*1_R_iK!y^ZoXl;QmeZp9d-5?r};b6-e@;h>ar<7GJ8 z9`5+*_EX~L%dH=Xm_-@0kWT=iIx7*kgnu#S)^1o1spWtEkXF}&fXyY?U^*cK^9n-G zN&DkTw~ma@ALG4drRPAuULq*Lh3jN#svo^P%@rpSdO0a3BG*&pHA5tHq|$kF&fVxo z@;b$3s!jB`s!YTc4fF7%1LB+ z?n>ntdwft)v8Lazpnc3dI`?UI^|Ah#iknHwkJ}m^f{HgiD29A<{-w;faBEoU5eQ6VxXx(}DR?&B8x zsR@=xy^YDkE-Lj5IW_W|uebP)8}&t(Thh$AG9Me3|WTLG;Wc>Q4YaTau);j zKZMe}Xc#LyURyd9^mLZ*f9S|B-?6_lg%usgs!j4hza40j>>-uZdK4JPJ(5r>=^$6D zxXEVL5Nay3c!Pfo4|z!&TQU+9zWvkUOMU6W!H}C0T7wNE-g!O2) zgCr!dP2h5%annv}bZaqZBd@7SNW6$tP&utBLrY{l$Me<~hCa5@1-#m%BiCom!fHrx zQJbRvx-WxC@BY`Zk=It=YzMI~g08~pzZPis0O*8lx~GpRpc()>6D0Gu`OzFL zDPi-ZI|d~Ds}1{l_;jJ4dG=<(zx)D;!1snTelZ5i*pOd~meWW7|eJhw=z@UP%eLIeG?%Dy&!z zS(W<{&eRjVOf>C1Q?cGBPJbuaXYi4%A(W2FLp_^sNo&Z!Czzor6FpUQ?Q z+e-?;iAqFoc{_^aPgfdMa0(X1?U4x=OIfI|tLXMO=73V5!*E6VOID@r8Z{$KdEYT73v`2$l$MaV*;83ye-e{?xP_H7prxV_Cxb z`Jbv3_2qOwu_-?%OyOo{w%CTRulia254Wxx!ppnYjJKS_^Lf}1JqNs$cSs;{P3&I*_-lZK zgB|4Lg2*W-@GbC`2?>RIBj3Vbww^IM_6Jfl~%aQNw0&s*lkRYc0cM4-o0`BH9 zbq*L~MI`;UC<~rK(C32^YpvXWn0p^u^at1e#nj4VLT)2WN-^w~y4>lrO#h*Y2#VqV zl~Sa@bN&OARF?ej9tVYKbl5G?8af{Jba za$tGt1XXMz?nvR#KX~%C^R453A4uD)BeaJnYlmbr&?2B3c@swemP@=RIs5pw9#??) zp*TKBtQ^Y@H!hp9mYDvDwnYo-bM$7+xtM0`HziR-$do=FCvifQ|DimDujgl{|F?wz zYzD*|ph4o0HRjm_EP~9Ff?lsqpy%U6b6mr@-+*Wa!FmKgnNgE8>b0fA%wOG*AKI=* zX0xCK2j3ER`)QJ?WqDWq|L0|@mb{dJOoIhr>;kL2wGh3C$%eSASi}$5X=Eb4ATR1-kllZ578mD z3QXp=_9LA~(IJFd1QSl@TTh=gzGpVg9BXn7a(2M?5DFB43ElKRe1zL7PFdPPes!I& zi+w`n!YU;`d*^H*u~GjP3MsLsN$to$;N^X&;QZcdQlq}}UkcEv%9AoMh6JzU%n%wx z`j)degIk$^oJ|q;EZh7v#WGB8kCc=&r6eFnY8c>Pqo29bR8yy9xC?oHo%8SVvD%(H$+AGT2#El)z}gkTkUr3F5<_23?~`{t zIgCrvQzwL-sa0Z@T$on@YEuR99kK?NV~6?^LS8>5cdxojhgH9>+z`0Uu8ksx88AyFfXR7VHdnXa29vNM?dv*durlrU)- zm%ozEJcQU0|1Hp598lY!5-SZZ9|}tjIb%qfBt3FplhgX7Sxsv6b-Q7G$fEnwuRv?-&=`bh|C8U zZ16?@6bm7YJ-$D6=4rOyOd~<@biaGR)+0c$2hlFjHtXPQgYQXLx4`>3TWqEg@NKQ) zOP&YbrLrFTO6%ih;7HDsKZ@fNoDddCMWHn zNGC!b%`)(Tpts_-p5^mmxr5E{%7)aw9U6rH52C~E|W`TME zP)xha#PcyOOzizu2fAVN0wX7UABssiLieLJ^)~jVs6A-xK8A6W{B{DYXmildK{noF z;~(9 Date: Thu, 13 Dec 2018 11:13:14 +0000 Subject: [PATCH 19/24] Make lines bold --- proposals/images/state-res-rejected.png | Bin 22130 -> 22708 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/proposals/images/state-res-rejected.png b/proposals/images/state-res-rejected.png index e946f495ee3456b43451aa4ab734bdff66bd6133..79b51a49afe42586a40dc6b26375dfd09e083690 100644 GIT binary patch literal 22708 zcmZU5bySpJ@HflSExB|nsdR_b(y@TFG`Mt0x5y&6loFD%tRRYjNG(!}AR~LF}I=XY|YuB=@Mv9NE4b?f&)VBOF^Xp6`7Rl z4ai>Hpgnxs(a&j${M4$Lrjyvl!K?pZ%lm4UB=dt5LlC1w#a7uj5Oqb*DzUxSmiw zbdPCB4{9`B%5t$M`=-_B50YSsV1EJrMl`RZs^7E5>^V+_R$z6nYCf7#h*u$jJf*UJ zW#|JVR$T}<=)a$Rr*bdl5JAA-?}tk{$3xG5!`B+ASzCX_6|J{SCU~udOC#G~z@(8c zInURM_!?oP_5%66&rHNLGJihLbv|BT1xLxIaQQvuT+n`oS{f@N4! zj9`p-tbpu>696ox-xYn&9mp7{@V1|$FeH-bp5s_n&RFr`-Gf)rgrtO|AZ4D+G2Mjd z%VV*U4jt+qiMPW-I3s7N;0NLTTHCAGv3}J#35t5+K(^iJ<=hQ3y>4UdUhl9l!Ub~A zMMlc~8hXGdnxIbjQfodKF?QcB0S{tGBsCMmQQ&B?l~Xh5Hkg?=d`lhlg^&LMq)9+3(6pR)Ab;#hcUhJu zD+0#-m-GVM>NY~unJNW?K-s1kFw94@R)k%55841;IHx!591)9?2N5h;39I-5cw7WSA zFQ-25N0o7X@9Aup83khqzJ`G1IJ_X#gL*jX9EFGj><4X*B$25RVv#oa*7WHbEWVn@ zf(@cy+$UDf5}2$W@5nN^nUwcR-#)6E78TjNfF{XsflzCUZZx%Sq-whL~Dso7s-8M?yp^UPk4x0~_of!en<}@!8J2$|UEbrEE2` zXx^XGyNjitR+e`AO$Ty^kA@nA)ajde*ep1JCs25o-#y{h`K9yq zRh-b(hIr1s-(lDH9W}}0`HwY261udtDmR6mihhm~*1)lzu7^!Ico%JC2Eo)Ei|^{%~ViI0wc zSbzXm-^IJGo6pwSoZGZnpTqi2jrV6m2-ql0Xr59ZtX86PD>DTgL5r(GJBznqSH>w5 z!aebxLFL8jW*1#ySaV!UznOX()fmf~f~CFDu+Y7G?&Gz02Wd+(q~d%D!i4z@#TAGn zwf~%}1GdcHnQ4djTGCXaAx*y#Ur%|HkC-@LQ z-9N1l+~ExtStXiZ=D%-VVVsrbRY-#Te%<#TON%m77lHn%T!ao*I z)t6f;@}u+G17r@*+xR|=Ka$kTyVU%rk5h+KW>+Ih)iIH&R^(mwl}OL9*MD81TP8~E zc>+$T&2$85Ou?_7$8M<>xfL8Ttn^4C?hsrquy?_qHO+tYRt_3ec&p=u=O zD4oOY&Q0|Yjfqpgi_^NZ-wvu}V^_1*7eV`-*INrkS}yxX<6%cTIwnjj{fgZ$&wX#$ zdUuD9a=Z=|phAQC2}XG88b^zbTugg6VLB%zy{-H(x~-IIvoNRl?V8?J(ABK+RfI}# zR3J7Mn?I(qa&N6=E4}z;ao3mE3EX9+7M-m%o$&r(8qU?~a@3MlJO}I3S1@%ZYE|gu zJHBIWUmY4Ai~U)aCvOx`o+pD ztd%7&wl{dQw0hCC7n^}%h0*p%M0DNF@Jz|C1j}$qR>cPn6fx{aBK&;lFfO(~9Ed+{ z&q5q%WbJO2|3vMS9|XGe?!li(p2b;=o<(Nz^&Cbo!@u8Cq}5HYB)tfK`4}0$Rth6Y z)@(QaLPyji!IofXCfaV3`9+V`i^jW_G!DV>SPf!B1B8sbB%cLqbTSyAXOid%)u{5j zC)Ds%L10S`)qohiq8gQOMAMDJU&~={i9Go`HJrdr%y4leOMluVYuby6E zX;W7_YrhbtJk8c9FtS3me%k6ubAv!@SP>2_GucVlu;e@P$nkyHGFcI=>ji7e9OtXenQA zjn$&?kYPfbJzI%KFM}FJKZc<-DLf$1SZT5o`at!xbKBI3ze?E`1)J39HY7ClHNRFf z2XzX!@njy46jhJVfTs{1cOOm$R~-N;+&KEH`C3P6Bhw1UgZt8-6vQ7q*hQ)8!;F3a zff_>)e-`{TSa&%Gx*{6X)p?8I(6seb4&`C3QyKKn4kwM&XX^o-Xs|04T(-)ksEN6d0(_}yldZhJY6mH z;|n@2AX1#2PTCtPElCr_NumPcIpV3k+oGZR$lZe?*q|Uiin!rYjzOI4^ftx!`wPa3 z-pF&MU5oy4Z-rWJ2|{Y}OnqOsF+#N46BdnhHkKb3$5Bg1zSo^D1VHwM=%LoUUt`?1 zx0sCW&Wdcp$`;XEe{^H8w-lxwf&I~3E>Waato^1d>V5~5cjl+RglR(v{w(Suc+%~GO?e8DNx)wm`P7AZoKYWM&N@hS$&h2ne^M6lv>bQ#6C7!3?AF9B zq)bJuP$UHCcKy(F?_cE|`H|e8Aig`}FkU^Ewb~+qyzQd;@0KnT*ZZ?_K6&H#vm&da zq*h)fXQ&pro8D5IWMIvn?~f3mHZpbXQTUXfKZpMHcsPBs=^>fV36%Q;=Jc5(K%Tv_ zg}0~BPcI*}IKI+}bTL{3ULta|9 zVvc4TIcjeG#A3|-h1P*%*ZTCAxsi|ywGm54z|~Np$^3aRFB5$RrEKJrWuUypuTUA1~K9IZ}MQEz|A{&IFWyOZ#)|fD`^;dcZE!UsEeXKWT!b z_&&f+J|(0{?sDRv%9sLKmw#f!27mqbrq*J<@TJ61?z4A%bcd8s7iwu`<8!PYw>3PG z9ty7(Xakl@{|*D;ZLE^d`7oE7hRj(3sJm+pJ(-(kH?s&arMA?M9cCN?JKmnl0##!n z$t1%pzJWu-DygUnUzlf=V<(cY@wAzrf@P6L*mbmgtE>9V_}@ZsOGo&Hp4EHWN1|io z{h@>|E|W)Ya4L-eOkl?Oqz*WMrXMHSsbwU3)L4f~{%Od$$8P znT~5%XAK26#c}t zu|j`MMR`M=X9;lDLUR_q4OroOdMhyjW|_w~e$|FmP3Uy?#j!2hW2ZJeQE)uiby(J~e>7pMS#r@x}Ur#P_75 zapYah?}UXLcXFi|6j-G)5zneJ*7Z+S-yEe*THS$!J{_`#$o3r(;8k&9u1UwV&Zg4v zxk{FS+vYU-=!tKV3D6QZaVazcgTn5lf|EFR8E~5Yjie0KSL^z^=y6VXUZt5O4=unl^HV2~x zQ>4s16$eoP>!Q22f*lNz9jwPDd!Qz}!OR{f^Y*b1ahw(hLHmspHg`5Z;|7^5jaD9N z^g7^LEkTpqC;Wl0)a#jtUd}O_R3a)liSOrY1&@2W6?m{hB>={l`qBxv36BqNF@wKo z{>cuMl2u`U^A6VF_!8Cv6x$+CW^SA)*K74t0Zv5tndH3C^Yk2b^-`I%2@B~B<`70n zk;gNn;;Hnkjb9RDhsu6FHlS6vGaah3|3@3kNp?Xg_?;L7R-lr4`swSqrKRi17;vRp z&d?zthHxQ?0)>^Iq1eT#&!HN~rGg|0)d70`2dTl>YUFbHSiC6?= zddSeCzROZpryisj$n5T*P*9jhowIZ30XRHfi5*=uJEkKsIstUm>yg#UQ+9V~n61pT zz~j)cy_r}e{o`lgY?h!lo+RcW)a3w`U7!^MEhs#Hd3C6YHS{TPMU)uvgf39g8G}5* zgOulAcHfl;L;X122Zs2)Al(48lJjJSF;dZg-E@{DX1G|>yjw(xhC3`}?O?)CdV>w% zn;g@LbxP#COeIaQ;B|8hUN3vrlUY3=_C?~6Dsu=G?V6 z1u$tgLSV1tZ6dW5rx6l0qJj$0ilmaoS4COiimA}Bpf8VR$c7W`sr~Cl=~)#|Rm?oK zdWH_J4|mrl`#xjhVIKN0s|(wD^};%X92nN1Hf}Z%oVQk%wRb2 z+#jBbe8fSa;0(vBZJ*t`+GH2`=dGa>f${<(t!*6*PqH1ubfA9c+p)9h#up3fHLsiz zFrRO*-u_P|pyCZ$&-JF25F^DgdiA-#Z|ZHAj+Uf6B#~u+to zIW3T0sFaC8Cv6`ejZ^jHl}ZxKmJ0Q=G44Dp970!Q#N7>G6qutFKmYNgtA%`{rh`^N zWv`%f+3A@lv0VyvL~y{=mzP(45NFf)_iQ#PkJ@Gua^W`966Q}Mn`BjMnIh32b9$5Skaw~az;$07L1LfT_XoQVR{)5~=zBEW}s1HQqQ&&dw-?1#Y zC5m`*PU^evL{??V>XUz_bUR+dO_w@+C(!fvZX=czyYw~xRLQ^S$gKU<%T0T1|6PdI z;4kTq)>_*ngb@p$R*O)O3QNS7fDnop(w?=)tWA}D>7dH;0dLv&((dyVq85Q?g!W+j zQ$Ir`w)bOjh=i-KL?*^OBZ?13+`$uc!6o=Gi7m%?R4GOutxhFNhq!_FM3ZQJ2>(dP z+7h1CT?B5YHp0(vTuJA6%P4z}7qa24c{U14C<{cj3@o%r2$cyKvKFTcr?S#b99Zs^ z9bBkwXtb9^jL;KUrwon8OOilzzCb_cU0v|RZ$&X$D005Yo-#cs8UoAR0H`tJgK(Kw zIAZ5I5{JDAp7+%68SE%;PiJbCc5P<66lS{>A)?5jQLLJ?=;8T3)O7^d?*0;!j7auu z-J8~4=uexun^38eKN5M{|15Xf=94X;aj0QJ zHKXZiYg3T+oqLK~fvg658E2_D#P9E=o}|g}hxFN4RR9!y(hgT9P;7ojR7rp*%q)NK zPCN?oPKpKM+ywv;*B4d-Rm;!A?5Ef;69{9Mhu0 zfhw38NIcl*%bF4?C0X9H?%ro?{5$&UoJCU0Q-*7XQ2nlB3r(bXDU#Zh4O$WS`c{_Xr`C?~EC?H4ez16H0mF%LP91zR>3Q-OPod#E?b|?3lj8b=W0* zS;J5nKih&KOSHuI1uU{eBWl*tsW#nS#i!;OT&Jjxnl1FalD5Ad6I$H2@1;CqLyWOb zvd_-Umx+^F59Q&Kh1BPD9%qiQ>T@u%k5OViy;QH$#4GmY<68+Q4{x@>+L%t_l9z>Y z)p|iaUa!AjyG(bTn~g&p5a!*i04;p7_MNT$rOEIj=`0OpbQ*q5q?JlvbYMcgLlci- zP{bNl1k(I;`0$vIg1(ki$v04WX4^Le$V%Gk@1QhOC5amKU6+d1(}2351%)IM|e0+}NJJ=Mr93K7gf5sGDA52=lu&LYm?rWU-R96@GK=cW- z1fd7Q7MbUxs0JH$gmdlX!>2-3Kldnq+~;O~&ftoc1D%K(cpV80{CaV-4=p>_$q0a; zdN;O(14iW@&D0ynv!)i)WK^4sRG;C!RsW+eV;{sHFg$1*d630#a7k;JD=p>y^&HysrAw60utt%b z)t>#43{_yfKBOtOIs*NCEXI!Qt2}o|Wqg3E{NNUOyOzJ!D9LgfSj=;L`&9!>Z=Xq~ zc#^4H>fF7=bXb&06b}lPx9dAQpj{P`c5PS3H>#^8V(`a|c1`V&imMa==IeWDXkWJ` zA&~#MHZ-YmC>i3h*hf!mYn=Fv;a>Z%8Mtd(Df8yV^9Al7LnAMV91v0LU$=hr<4S&} zOX;4(c20E;jgGq9M(3Nx^Z&N1G8eP*Z;MyGz1acx*wd`87&$sujJtjyqoT|@RHsT6 zQ;A)r%)aE#Kqy+<5sXW(|gLF$W--7y!R_(El(XD ze`&Jh@c&?+-nq&+HQZpo)~<;Aauk0G>FUm&@bZvC!Nq}j8}I8Z9c)TFM@kv=iB?CU z>&mfC&-0Kq1*cHKU9vqXk+JuVA6x=O*rJfNwmN@Pr_wm?RxW3Aemv&R6Im7Q{I+ba z+ok#D?f2fGD!iA*6tv+7@6<=DAh)8juNNu(FK@riWkd}T&+4gBnctZ@*bC@o1q;;G?);4iHrBjG)7;`GgCVZegeWRV67= z@Scl~e^6;e-^(u6icYqC-Ri3`wo?u29tr>15$L*o0PIYQO>&Kn8HVbgz{7^0pljc$cH}Z$C*Dl|aK|(871{kH8A_K4Jic;i|zO!1rkz7BR$u41x@J%y^ znV?sLGv6ef|j900@zGt6v{}r>$l(bkR8gO z1)|a3Lm0x~pI5NVyvb6?oZq)is8qv33(o0$GatFGqETN-6R*2fI+1-YDiqjwaJpIh z6W0?Gma{Au2!;wH-=Psr>!2FReoT}B)oAuH!|s>BZL`NfD^keq_sRw#a>TL|^E#lz z(>#74XiIat{-_m?i}hwDjN$T#wn-LAehst1IzDu~{wAUMgJp>28lmvY<+dH^7P|LM zD}cjthI@Rf;$*Wcq!=TukS^4Auocr4l`_>n-StfuMo%1Sjm&Ewiq&e2{ISG+xl#>D zFd(0xs5Nw;ObcL54?gxIFGzRscuUcSE=H1~9S}w3-zaI(DhP{&RWsTV36alwIfAP^ zj2R!~y^V}@ZPl;RpV@akuOsM@`1n{^3`hX@CUYOI{@+=EMj6?1;wh#Y+c4!|xgdBl zEm;5{WP1v`ds;1Yy7&5P2f@2+&3CV@@-aSH7R1=NdyZ5x zLrARy|7cX+kz@a$FL+>0jfu70`ZA7$LR6wKGp_$U>{i#-6E=Of%kzd&hi&Q94)O1{ zDKB8v$_}(L!m1oKKbmCS#ZbQAh}?1Wx(<=)S|evl?l?Yv{7p9V!VK3`)c zQJ)1t^RxxJng$lDhvgwFn0rg1QU@1&<65Oj97OYbb*p?2N_60-B}cN)R0;fvc6s|} zZIVBoqfTqG<7Vg;HT@P_#;R^S`<9Ez8m7)(J96;VFRtuG+RZIiq7A}95+5}>xPE*h zvqbruc;$-0At4~C;4wMwdsx`VR~}bKQt|B^t*O?}nHj-0H@8D^g1CqM%Y`9qFQ!NY z9cg(TS);2K5Ga>J)Wa)IN?E>nC@;6@z_l6_?EGP zn_WcDKk0qQsZ}g!q+?I`J8yItrML8v>&k)KT_T#VXXxUcuvbb#T@-zDCW52|$XjJRA2L!QLdR*@%iaipJ>u@2E zLa=A$I~8Ema8@^$1UNCTvA@hkfLerD{##waAMD%>J2rIf3H^pw6Z&*YDk$88RhHCW z785dXXGQ{fv%93Q>h3U^csk75NJA^b51YKgvf5ePQ`L&;UP0u=(*o!oN4QV<62$%@ zs)t~?>6c0I*?Ri^(}%w)A+n^~_XD}buhoF|j!-QrMyK=B3$}m9y?D~jci(lU;=*;V zT8GMB8B^Wu(YC>kaKT*C=YBTTGISefvRI$8@B!Zz?y|xE;Dd@!J07Ei04Vjwc66%2 z(v#8ekkFpvhksEzGY$h8u+Wrz_&DFKXVTra4)0tb1lu>96yHf%$Dt`N2#&r5vo?bV zM5m9AQGyk0a-`eerMfa*AV-;-r2Zv!j90Axv83-0;I9kYMRhz^TmVb{3dm0+;?q_)?!5hFJZt)aYMKEzY{JpyJ#36{iI~-;&+Q>bRY-0i zcF;$C^CrI4qbhd$vqtU&gILaumm}%8n~9q%BMYSwVO>u1s#HC2y4laEX)X)@R5#RM zDX^x*4is=tacWtiaS#mg)vx=s{v!hmz^yCw%@zx;+!Sq&iEJ|t~JspKGF_r6tC3i*Mc%` zFY6HmTHruByXv$<8lzSwhH!b@J+#a4m&s;)OycdjkU53_qwt7e9P^;^cL|ZqqjB@p z8Aiw|Z7G$|6Bo-T--@svSI!oX*lf_*lIT2>V*$sVje>tfiBE4x^mJWu2cENh1jI{X zZF=~O%2F0+Mv)cBVy!PUC<8;UAo4wHT%P0K_1(ugc4PE3sL&tWw?S7Mv|*r5h#3Uv zh4#c3Ydcbkr;bSwg)!)HPZxXP&IgMM6WK3Be_Er;B8fr`ie&5O8nl@O*vzjdDgJ%Ey8O}jlP zVz3ehpOAKEQ-XWbz$6mZ{fc;Yh4z?Gjmr#z){sEwsqvwk>7)*l3|t{UR|$Cr_OJN^ zJG3a=#??K?&677lf0t?B<$KD23MLa4PLuYq0Fo@p29ow(cO@Jh>5>EFrd%MlI-Oh~ zkr#R;0gZKoir@d66LA^*kCRIGKZMq2Nhs_oC|PoY$&t!dYKx_i<`srv~7Xx8Mlda-l(sBmH+CqqO&%?sRD6E`eBf{n)#UR0Y-9 zdR!Q_FcKCIm=NuZprgI%5Zqjf<|OXn-PsUnfl?U}yklHgYcQZ*0O0!G0}Ms5nvwMAF~sw6rKwZTj%Iy=93`?g zS>mF={1@HtvVdJt{k}wT+q7pOCki1X>{cU!8A~8@2$7ZWB+2Q4Q=NhB36l~*dLyK0 z8Q+w1pF9G}#PGys0;#-#BcZ3)bU35Hd<{=O=K>@na5bDr?3emy!Y=U^PlFRg5lGi=gx8xcZD6+`c5M9js5C?L z@r0X+P1snWrAMnTzmp@L=O-dmBaa_j(A9(=V z3Je4LYxVt>b>@5TWtOV+K{k!sp5Pt0mPD@Z%I`kO?53lsRg&S40ATV)cb22>ohc%( zm#i-$N2dpr3F4*^HGu(hX5avDb>h?PnOLSEC&R-DG02R>_tedG7VU?)D@MR4|2YIk z+7J*Y-pf9*A~kF)Fl{7`Tici$px*0{A>CftnEN7ulnS&LuzP9!IIpit*dAoclXOg7 zW^EHR;K~?Cx#8ug6Ut#j5N@IAbo^!*aLYnqeCOk5j)2P0o*bD=*itQxvGh;mLOD3W zG79}Cb13rIQ{$CEKtD!+&o?+b1^l<{q8KCTF}qC6BpgXxsy!^gv~Aq_FCFg`Beq_N zQ~~nWC+9|=s_q4;ebOUm;T`Ft1WH|xGjO~XFL{bpGaO&?c(~Z%*9QRUVhGpJ)WH7> zZ}&RWsHVM8#BXlYU~Awnj$(5~C;YMlYd_WnudpFtpji)cw47R_4D_eM4c5lGWad|W zhnil^f6zSJ6pJ^bOT0*}yMzCu==Q1Vh!&v8)W@5TcOuE-X9SylSWc<3NfQq@&*9{+5dplzgj6xhr8nGyBAZx8eikdy>z~_XsAPlzwwyRz)o;T_8+Y)m5gD zD7ZfI?XFjjVEp9hqgM$BFeAt0@7}HU3>{4+|1I-an%^@xjR2OV{U8-Ti}G_;{H__0 z6S{mhz__ZGC*iIB&Zq$4l9M=?;B#OQ`7ao!g-{rrDJzX$ngWfmQsSH7@bbuxRIEp$ z`=tNSnGwSsk(ALr!Yae@k&LV< z#?UDzXt^CYtkz&{6qGCc12E5}W>cYMK_Epc<|0Z zQ$o>ZD7=|kgH0So3=e*0(4q2z5h^=HD|mDt_WK;#_tvH|{kpoDhd6@jbM@B!I9NfL zj5XPN503$v4OVGy7yag?p(Lu*cxh~hp~vk3a>ZuNl}p9FvtEi^uW@0| z@lU`+SD%NpOx-;nxwF{mhRHjcG~&594QEt*>@#W&Ir)D}pfy43DN^w9LhFmT6axG< zMYY+@Yl^I21Q$QKk>KMhqgJRY;C}(Eh%H|bn?-=XY+2Z0!Oh=yu~?pV5`Gr)n7i7! z6hDj_66 zwL5uW$rUn$Jdfowsj>cN2f-3)ER;u*@{WN+; zbOHU}idr~kD+EQX4~mBlE?SNW|1*}IBaxvupQz9`f+*Yf=bSF=&>5%XX{hPjjXWSl z&Whc)-C1RAykqt=l_y6)#3pO`COWVBkD9?9oba-_(`E(yJGN9ve1g^|L>a&L7JW3P1bDIgDFj*6dE36Oqg*5dw-9+g5lLPiIeXOfU%dK-t z%bt5V8Z2Q!wy!!zOn!L=-`WX)7^iIJn|)jWK$0rq8E^pTN2;}V?bxV;u>z+}`UeD& z-Q>_#$!Oi+r+#OMaWZ?c*~jXCRYma}tT{U!%du<(+wrBCMRfl7Oe8xFlqUH0I8_D{ znjSdY>=Qsb9l$8wHgN7n;z*q324v{{*b`nS#y--w=3>RkID>)_`uaC%@ho*t?A@~a zW_2#FKrH}JasOZ1UVeCYaJV>$FoT7Gy-v>6t@*}E$}FgcwE4z~`1{Z;oozW?f=uvc zqCU3l{gOb?s=&i{2CX-#dv-B33>4w|z`-AWkz(jxAPH+YrJUKM>9RfdYP1!6`J<)#ie4Hp>&|CGm{V($Q6`d4wL$Vpf* zd;N0rjn?DLA(#nmWB+RP)wJ%I$WQQF(Ky)6GNy{I{hXa_W})Y5pt?#BR;C1)9sXZ7x`8^611{^>#*(d-U;Wfnj>oeinKF#P0G=B3@7X} z(XML010#?E2VX!GGH18{Zo&%Rp|e~zXo?7SNY!vHcvPc3dm<}V%>CgXLc>vs*9YfT z*QZv?qmmpDVqY3xV&pO2hERn>Wx3^bcD))AW+6Xc!$jf%p|Iofgx}LY!l2sZZ|gvU z^fr^V$r;0$V13c8lXdEN*9AH7o^oT%H<1dO*&EGnM$j|!y@dRwN6y6lt0axYNeK^ zCfth(tr0YH3!(Ea-)iAdqr1GxNg3IQa=h0OLd-^JJWT7aeaab5C1ed!64Q~s z-6(??E5mHjryXAc>Yn>^cl@^_v5~-b$$c%|*Vz`2^sFO~1@R6pjGen~<}DP7=f0Yg zY7BO4J#e#cRX-KMu=jh=<>}I`Qgt$qsX%O! z4c#ErX)|&txH^CYj0vixi5%n2_UB_bo;oZ>|J1Bv3nu4G;b~|A#@P1RWM1bJ&N|fj z+)2*sm0)9RF$P`?4&e3#pak;eY3FhVPgx9M(^YBpl%L)9%D1c&-M@XhRJ>6qC-6_4 z1PnPj+6wKloi3$7UPF6KvymvPTxX%cT*o<7*YueFJ^%J5d8{b&i9ZB7SwEW@`Y9r3 zq@EMQ_BoQ(AV1e=xVYHDo+d`97~UF4`l6-Y#WI)X`J_4pz;`OMj8iiJze@Q*B<-Io z`?^pE8r^N($3-RC|32Ds0)jM>q&KfrU$TvdG*ixey}XpI^p>3OmQd4#J7d49N|{4s zU}jXTJx#6d-X?X=8liv0r>b9ksP(d2X|nbykE+5cL`^nM+4eZ56|ZLLaK4~-iM?`65GEazbC6-#lnWKx3?(+T9KR|)i@EA}%-Q*vpzZs*?WLW3O%jG_ri0<<2GQYRAf$_}_rS>iV!%zT@tRhyqCrX^fiENCw9y9eE=~JCAFj+D8z!k2fy)G@``fQApi~Hk zfczYi@DE`)L4gDxrcMAk4RdjqKq7iCXGA9+0b&v`Yu{Jrc!GF*3(*=&`XGA;k=-r9 zMjzf{{q849@J)!=laE&lEV6eA-}y~++b-8Nb#=MOh;2`3Kb7?O>arFyu$#vCk*O1owehiW*Yx~!u?`iQ0`pRk(Pwb<`#3qX_M8n; zEB$$qPqcjqvm{akciTY73O7|U4(v-Gyn!XbeVd;9{=d5p7}AIjVyE2{DZQmjmHD&~YsQa9NRGo<|;SyFrYT*bB_wIwA6I(lG;uT~55R zTTD$=H!SWzGAmUVPiwWxg&4EMIFh5o4B=khfZ*((A%yMZv$U4N>BZ5rn+wrDg%>0W zX<9ys{#4gAH0Kw4GQCF8#z#9fSZ&eXrZo0`wpfvo&Av`=xQ4cGTh0BFoDTEIJx z#s^rohK(RinUCxkk=ZA5f@ zY4n*TIc2$=h{peUC05cxivWYB&J~@M0LE5s)tLct-CUx*M%&M_@CKFx_tLU4X!%bx zXUvCS4>stJrMTyCVL5}CJb;a#u1?P4fv}adhu6nvEe`%y|4NK=$4^yT9Cn3L|JYzI zPSn&esWJ-Me*2haLa5-wKdUpOe)eYJQB}HKu=qfUU1BKNoFX}=O8dn=75Yukms^Y* z7O0AK57cG(KM#KCyfW17-?pkGwzf*{ffFZ18-bVq~OIAGGDFbjrtz|rJ* zbroSG$vH3XCA&)_JwN+BH>=`K$*a@`6sku_TE6-o36aj%cRz0JGJnJh^oB@oBBuj@ z&JYoxjqm-fLJyaF=I(q_-3kqKtavQ-$*e*EMUsYQB|8M25rVT|a8%EuGFIo`O7L~+ zhHxz!7X68GL4^;t8H|x&HbRHrb@vxX?iGT^mM?5@%0etJ#b>=qHme{~6p2$NtFyWO_-5B(X+)JF%o!xvjF175L9o9(B62*R4b@)gZS*%vm6e^qj% z61yA1D9YeLO%z8^oXVlu`Pg-o3e9#%fG7{lLg{spoccMta<4l*oMoRPOy{FoJM;T; zektajDFPi|^VPBqwc-W0ehU~(4Gpwi>JY^8Id{g72xWW9c*iCNVIf_9852Hi>5N{l z7S23k{i#dRHTI7vmaJyX4<+vC8Z@)1e)H>mSEZ9LAa(bbwraZo>#I>7{^^DII<1`QLg)w9~2Gryc`)vF9C#c$9;^}+aCJwnMSy~$?nz6V6#TNbZEzh`+& z8dk5_Eb7jD@74nY9AZ%xc{Qbsl%J|0!(IoTY?uIr2K8pII_3MXWKuXuEUo-Q7i71D2~{l5E9w%x}t1( z^K35?s3!lc{bJq9JQt{SN_*(TTR$v55YqnmPjto^U+h!1U)lAU8R$v=(Ve2pna=d@ zsX8P9Hzhc0jPd^Bop<#%epOKugh9LWvq3X7!uQ6%N3z_jZD5#r*Sjg$#MH_QL5jSo zk292m^zplqdEXzt8>IasVe%44{{fWYPE?ux>#ghzzmlm;K`!G6+Vu&JC9Ymy%Wk`X zawUQ2?jiR->h}Xe*Z%E zDsznavW4MEid8<)hoh+X?=&i5ZIfYZ0ttDogRoauN0nC{EeWfMEc7!*@1)+b^r3Q* z;kxtQZD=cZl6yI(gqi5T#9RHUT`rb+gCc*sg3*_ zy=X_}bH7`zZt}Dd%n=mpYZmYbh1^%&Rq2E@IwXJZGEU8asV!8}L|Xc@Y)7j1AbP%Q z$2ud}2pKPRCRK1I7?0)^L!VQDX!zuuqtPV4quk$@YUfT`b`?zC4`~pTde~MzR^I`; zLp$CLfNcy{q4pV4-X>(|36^^fDd$_URfI((Dvw0!Q_N_;!A+oi#M2C_qNFHAAkXfI zD?%PEr%4i2+)*x`dU2#JzN0r;?t*iu&q8Dm@r>_1d3bQC=VT2YL9K2$;#}BfS~JG5 zw*7)J)NHq7Sc#3}9!I>Jmk1tXIiaICiMyey?vuSA!xZVk#nwf@+o! zC$g-YZFjSbH!~UjVb>HZ`GQy4+c3Z#=dbhobO)rawf8g~JCD6HhM!LO&>q8V?=oA( z9Y)ZZsN&7JUwKI)%+@hODm(#Qt~n83!rAwbeGPmiCT+IkCq=>VMm`F3t>r-8PUw(; zz*D13e^H(g4;VFqFqDd=L@q42JG~*S-00yx{q#x{@re+S`M~@AGt206q3Sr_oOCzN zKvjxJ2_zIPA4piAp+?A|pWc3ug8JH(-cNmkZo<3)8Ylc_M#jp!y31+Ba(3B0gM>NX z*9;i%xI>1piB*fgGM1jx*8LgE&`O0q;0vghA@XO3T7NCePL|JZ!QJ|l_9HPiOZ3VP zNAFwv4el5Q-oC5aQZ)Kd^D`u2iIyXfle3|by`+BOwb~l(MImM~FTg9?Zj@z6+?Qw@ z-Kq*nK_>^_p%T|)cwVXW7rtD##}%9=Qj`sUv3K8FeLO-TSTiWDZ6UxE6ke|I?Js5$ zeb(AL-M{*(S$P%`5I|u6{x3k9O06TmBXjcv5*j~^>}{nAo{3}ltonCq=!5Rr2Pf0w z&EyZo3b^*$d6T5~jCh}kTJzyBg&Kn`gbQ`9rz=t<9+=4VX`0h?t)A06^sD2PpM?(p znhfqalH4m?8Hhl3eOaY&_)#I9V%4 zxi09|TZ>9_jINy?4VpjQEG0Dg5@w#c*>=|b14ef=pPN_3&KQMNUtPHNOdc%FB>dWD zP{aLXC^a8UZVN@f7acG@`^h%D>Djn(w@^jmV7=!!=Vgh9HSV>LQ8%i%?tX61no-B3 z%iN-#%=N`WMO+z^U`4T|cnE+XETvheVllk*yVC1iGe^RQTztoXTZr`>^@C9kD4 z`!E+g4mTw-k5+cy)B=p-D*5X7liD?#-g|J9TJca5IOTe=t@w^u`--YvyJuJQgsokz^CyPVwRH7UQb5O9^BOTP zUaQ{WXx@U9$2p z|6H+$dIv7M{5$bOu;*)wNbwzty;5}KuYnT}{o{dm-7*`|5_b457cKm|09*%WppJDWow+SvFgJib!vDys}*$?eXsupBiF{jz0H>a zXx*2)D|r$EoeadvhLXe)!3Y|l=~I&OqImTvtmnAx*LicvetMM1n+#Mqdfh8phfzl1$XwVVQwC1Hxr?O2DPE5KIBd}xcQE=$Fa*o{ z=!T@CRBpnJy3nqr5K)j)Q}vgni|*~0yQe|z{I3Fkgtt3d7F4WePtjBz%Ya_IMtvRQ zr@b3H{^k3NnVy`Dc5zFGvh@9km6P*am2F+g3$Kp?#**Cv+WB^yUtn1VA)FUgzI32r zklN1`DNd0>S`A^3Q(0JuOQ2?+(|}1ZsaP3lfw1Zsn}*g`b+{W{IdN1%i!GnT@~izS zPcXMB^SZI&rPowh3ZbsJebc;Hj$W37_tsCmbKpj zA&Qf1Cbpw(oeHj-A3k<#+uOrD&{3QV{s5k6nLnB<`jvHQ%@{@;dvT5lAf8*abUr?q zW-eV&efL?CSosI>w1TE`Hz*+G$XmC=%Vm%>S2!tS{$e&=pFE?=#2<`JYm9zmE|*Kd z&-wV5@i*~51I6`kPjcQIva?w^Qrr8c#$tsfW00$#MYZ@H5C6iELytF<7E3faS*!`$8I=6Jp0d^=TxR8r?6_eyEJDM=a`|aBOX_9aPPIA zUfm$>w~=$MrC^)SZ(hWk;XG*nc;KE5>|Qu9lis(ZR9dURXZy4#Ui{U2s&_PJi(i=^ z-+l0i`o#FjVo0@o&+3kDl>NJuH-Wf5PY@g{`-K~@N7g22lUCZc->GF~RMMY7(jcR7A-)l4U4xZ>3>ToPAd8V?Sr;9XJ zzc+|qH9l9(E;52q7!}{wVSE1{@bU5K&o1C0<-Gf%`x){D%QJ-o5hJb2@1GJA7{21R zTe#{!R_V+>zWS=*5vs_;w{XuNQ;tHk`4p9|6ut<}YIiwkKiEg=w(mEWf+xApUu_ru zj1||@ZEKcEeKnyj*EGRtT44kVE#arWU^&i_ zNt1USZziGQai;7fb6N8Mxq3dT-!Zm}UZrxLvQlWAc;RY7X#NJKE%RS3S*Rb+F0uGg zbW5RsGsDCc07lS5R}&-{Zw=Gyyn}1reBuyPj42C#z|c*H>F5WuCseQUb?ArA7z9*t4 zTT-&>?Vw7K@>QGPvWq7&>&caaU*a0C^3>`knu*ClDog3)lN4^a-yK#Sk;7Zo;at4H zp@*4;E`DORrWXRBO-0_AWjSx{v{~jQo-;mozmzLNSs3@P1<=~dmreDJT-@~o0Q?uS z^9IaSY(BiM|6zKg-;LqcTVR*8%?v&!e7PqTFRF$85}x}wlz9(z51o=U?x7)CKJ}b^ zyZtPPB3mGrPGz~VbI4cUPJkQzeS}Sw^Azv0KvCB)N1Ohhlph%eA`PMzv?^C(hf)XB zOJTOLy!Z3=$i7Ol5*cZjoY_+8y2iOf4e_G7g2izb;Rbn4dM-?6)kDVvh&IR6g{Wwd zB%)>I{E*6ToCe>vmaI|`Wb7ICXFoahY8Wq)FADT;71z=Tz(OZXq~V82tP}TeW0~GS zG1@tU-`p61ZC;pYN^?b(Y-upNoO;T+=+roFC5<;Y6!++hpPqUHO~d|l$ii{XlqiqUsKB!uays9ohr6tm8YY8v zF5S|X9!Z{Df+6xh+VjxM7MA1I4tPih#zE(+$MZQK^zug>l=_M(eu-n@#!2s}8%t{* z%J%NbRjZmk+sed1TgdxjT3K}@{yw$tUNU)D`m<$2=Sow;DH-F1jw6Ct^@CcoR_ep^4*qi7)i zG6{R1d2Th<*i@e)Bc4bPx5jl1elzC1r9ChMyKKJd%CU|dje^w4yN9qGoC-$Xqd!l9 zq+S3?c29HPu=rht*>>x6;UUHA1rg%p}Q8Cjn;= zj|IjHZoqjEEx^b*of$K?qm|lj%TXpipbuiJYw$p`N17G557g<10hlCLvDAEF5)Pj2 z(93H~z3RAnWV!_7|*pA2-hw7d?G!Exr6d#J2BO6O4TO&8K`(MqS zEuGWQfFE)Ol9fdI$~x0-p0YGff}I#R@ypg>=h0?G)n@HhUO-#>zVh}&Uq5W~%l3!& zJGtb&!@!Xu>?S^Y&JdS{i~SvyFKN^xT1Fit^scVqsONaGB3cYh;~8Z#ZI~OJR-~?+ zZ|yKM9tGng&^#M5hm{N;MK^H#33rf%BZqW&zig?#_YzcM3n{O4U(&2HDquXsA z&*U^hysq2-+KQfzX=kM~Y{{L9u3ipRXouH2`$_CN;Sdu0Gwjb zk6W$}l}o-0+ow0qPBYCBH8y(Pe=7ot=5#L1Q4zK7NF22o}LZc%L;lZBU6pgg_90Od(JJf6>l;MUwz6)8gA zUe*kT_sO|&PRPdris+^dPww~5{@3ARP;p4I57$m$sI7wqVnh$|*@oN3-Z|PM<{JUt zZ38VUv*xyu2%`w58lVWke$Ydh)xv7Im}$l-%cI@?lW)WQdL!f^WcQ1c{a<-B;*fwQ zY6*BCSPb)*LShQwdRZ;{By=SCFXg0>EleP}Se@-wpLB#TmoLWQaYLN=qGT^!=E z@k6V(d^-B(U%^7;hVYbJldO)6m#l`~%*epRS_#@d2)tHV{nsv$5D;HdVDc;=wFSY&DlIEexs)?3D$KmO zx!U^9^;tcx;=Z&)6FV?m^-r6z{ObCfV~xAS;W@kLJ2>aguj{9r(IsROrAp~>7T}CF zgiGP$i3A+MFouKqE7a%)i%ILvQmZhwXfPoF5n&mk)$QEYRJpW$Ph4+F8J8{pp=oHr zdZytseYt!krDGLSxU3soo{$1ouF4eF5byptC%&$xBlDVUT4PHAgzNK2oQE!tvo-ZM<$EniA;9W?+9Kz*j+fKlC52`AmSwP{6on@O(bG8}XoAW32gYNVIqo4#Usdo5)AJ zJH^0W67r6!h3=1H4d;=lbeJ7r=1Pm?t!!wS-t}uTZzKsX6W?}&b7;f!xn}OL%E-eJ z$@ zfr?A>_rwq0Z;02{yJi%yMWH-K5+kkD;i8HLt>MvGH9t@jTY3n$-_&Ps6ns^c$*Fu= zxqhdd?*sl0B{Uk`|E5w9bl&iMO>63s5to((ErVuK4ggMF=-l2n0tP519$ry_i^XXZ zKd(F2#zGab3Q@uLgIM9igPWT6M|)$N0^R*0CmIdk4K1+xOSbb;FGkkIdYK8o3H%>o z$%E15hTnBB^`O+}Sq5j%TI7`zNAy7x8^tCGr94c#>DAw1S zbZBW7)5(+jI}}HbjR=gag1XTcv;KQkL|8RSK6Fccqf*2E?DdevWvo``Rpk={1e=Xv z`p!%JzCrDo7p;=pRKoJN4H|zEwM$lnRP6MJRt;F+hGtzk%P9RLo(+h}AdD~!%<9|2 zltg|`AsFf8GCuz#cufh0a#QwEwWZ}c3;AmK)53=-fFg(J?`Z)~NxO&PPekV<#(15v z0eZlnhDP7KsZ3G3?VADwfL12sZB%J^xU8J%Kz=WAlpPVPP+B$>IQR0<-~EOBI`s|k zmVfU7f^@$6zj?Q|IY>Pj{KEI5Uag<5Ak6fD3kAhb8e-*huZ){#)rKTp>72sbhaLssO@eloO$DJ35p{6ph!s z-r1Vc{NbxPXfh*@rD0Y+J&8{buzb*NZQ|>?sVQ|RyndGfceJpuDFAFp{PU3$N!Bqo z?h?a1e?U&!gD+If#&s(~;eq~?(gDYeH52BRD{PJ{6MyxtZ?HeSvSaWt+&|Nn=Zd{i z-(bHXd2w}5b&i%JM8zmJo4PNX%- Ph$-OO_qD1t9zOpsNp&B% literal 22130 zcmZU*cT`i&7dDy@LT^e7y+i1|ONUTJii#ptTBHV$A~kfRqX^PV0P&TgbfiTQ=}nOu zAW}prp-FG|`1|g+?jLs%7OZp5?7ioinLT?yvrnFznd(zhuu_0PAZkMcT?-Hh+ywl# zlaT;dbW12}fIlRUjrDaw*Z+P>I^Vnmfw)12x>|RG3$_Y_T5azAxYqFZ|E^jN5vJqT z{M|`r!N5pY#$ASnGE(a4rk0gGFk`U)f-tY9xlo@j155E2Q;;++)Y07+rAFmeB#9RzDwVN4UsBU;Rx-_$~V2Vm;UlfTP`%D$KD=E(gYUHv$+qEShwLS=l5qJ{(Dq+FhWLp zGOd#lotEWOE0dPy%WmO06eVCVD-L0T)Pa)Gr&tf9;1k%w=d3)(EWsFt9}-lNx@Mov)A$doN3Jw|gLFy>t$!!5|D(g%?wma+K9vbBMd%nW%>vbm= z2`RSV8~Hz3UR%iK<@_{=+TIx=VDCEHdFWHPb4rm03d6 z%sX`rlUzYMIJF<}u~$x}xH^DP+^E-*q&x@A2G7)3MDK9-x|mWQYDJdgj=)E0uS$`> zj(DXggUN#FgjLVI*kG3K2tFAKrM&8!^Q5`0c6uE1V&xr0Sj2wnAV1JXZw&hh>);^1 zD-}Y+2_guweRYrn0g4bMj7r2xHaOo;_{roO+LY?C(f3C1Uu{W^Z{Z4-) z@Dlb{I#xdBJyI$E$ucR?zK+7pa_ncE^Pq0}-BC<=>`5C&cEYi56aX*Bw_w}*Ro=jW zSrq4Mka(WsQWVL6^tOK{LFqt^lX zzb9yEz*q6O59<(n?OZq&AN3aP1=R>{5fl+S6-3=5rSgFmrOHaalyHm1zhRUOVGW}w zNMB}G1X-0mb%=MAQ+67E97Za$!_IY|y{9TM0tJ0qqyq(B4Y2sAY+t;HQFICAzw42wp3|M?S;xa`+eH(Q=?u1>G8XRgA;+ZS4B{ zs60oxTPvBzGosiJQ7+(KA+^MtEYlwe!Uk_u@v{ZpBSc+~pt;)q@_B`-SxRStcvJk+ zRj_;9;i0x{`FU9QlM?3LXZ&Mz(*EU+a$-(sX0v7dHqp>cUzrVuG4i`X_WPnu`B8ON zT9tBA@t&*=iR##UR~NmEQ`59whA*4{-tWT%G%uBc(;Q*cx}teax9)uG_~H#=D(T2D z%ugDuQ7yLcc)B0{>;9_YiG|`uX!c)Wd9;(+=heD+rY}+{&Zk7yx=U(}+|oxxUFjXu z?7K&r0r?g~^$gn#cEV5Yxr2(eEBiZjC?CTRGE}<1O6#E6d^sKygu%?PAjVb#k|F)6 zGvh}5C`TBjANwhz5jB%EU0d=sQ;qQg#0GXAs?nHs;NPfzNNW^|rv}%8x>6Z-sUq2b zT}O~5b%(IH{5Wa27Q2Iq?Y==;B9G{>x>P|Q;*uBA=A)(Mmwf?s>m_- zhU!{F)ame|=v#La+AE520|}G})vp;}((3TVX~esYTCR1K$uVjJ6d% ziexJlm+foynAp43=AwvZ@493}*0{gWIIfDk_O5SeiNx4e8k-|;Z{NCZ`9t2%BK$&s zFyqY}l~(>hhXaSYV`rD)ot zi7a^SAMsYBR+x9}aiq;^dJFgW4XVbjK(5^=-fR05jnkC@K)7wg`}}(T0o_O&n=RfR zsg0QaTg{P3Ei<8OCF|qC3fc`atBHX1Ex+OPg_`zBlWmpjtMsRKK6&U4k)@UEh=-;e z?L720>RlVx>j%o~K}YKv+e_>D;M9Y4^|htGopZbE7CnYH<0f8`*Dd{T%Y^()kJi;6 z07#*PtydbK$2!V^Sn$%TubA>=g$d7tAsb|psfDUw=tNfyMZod#x?Nf!+v-^7#?l>a zQ(Br6pX3NrBV=IM9 zQ}HRMX{lO8!b_;Wk0YN!clT~ZYCr>~Xr5i_HN>oBL@TTO{3yh8e1RO<)|R9Ecq@>= zTmHJTOwOVX!{B5!p*;PQxbdj@W^QO5-*t-gDEBH-8lvoG0}g|Zi16`N1WL>Jr|E9m z?#W9ekcfYuAdI(s|6v2$lW=~VqP`^77`X^BkiMi*&buqJ?u#6k`yP4pE_0t&O?I%v zEYa#Wd$a=#0YNFV#^vPg!T#`!XpJ0VuenJ}6-l#!Ekh(j%hxbJVJK#WYXZW?V*vYl6~E6=IzM(XFS_|IgEAX5slWJj3%GDm;sGj(ep*>Am? z_(#suUEWxt1mjGtT$3qG(`RAFUTG@KREloxJV(El!}M|v8^Zk=sUPtiRaj=VRiz{B zcE4Psnz5?2e?9}?*Wvk26WK-_@G$Oa|L;;Mf)!BZ^kKcl$BL!IALBC>&dOeYAC-WC;k)^9(%JHs1C*TSU5iZMcLX1*OI)4V)o(&L*lbvQm1hFLCyrZAw zDK3*xtn2cKjwRkP%lT1O=x(4hk-NS!=nW><_IINJ;&Ot59UMmbOv+o&`?Lk)HuCr{ zuo;r`O`Of&hC{k^PMLlFt_vm5j~GaIW;*rt!i!xS+mG3^;HMn$KlSDb&PMi+VF6l{ zbKf_`v5%s9GIQo+@I0$;kGPFG+NCp65HJK$!kHgz?!XIVbainDztfd9C(&00F?q|9 zYGgn8j3b%>$Ak3k<_PA!UqoD_{b&ewIHu&_V}EogFc-T0Fze3>II^)Ln>tZg9+Uez zkpUOwtlIT+eE!pDG9IgkI$@oOfOhPNJh)^x>hdg4_d?s6iTtNFE*9=1CklBctp1!t zq9N?zy-?{?YbT=-BA-Wj+Kx;vFVkejN*S^ zsF9|t1lH$0-Y#Pm&O zqAow#65JSRqvzXGu5(FhCyuPo#buPgGFr2tv`+7}My|egEn}WeWxwjsyU&M^mbaQ!I&X(X0I`T;-=5AKJJQzqPuq0XW!Nwl zsP?+7hBqQt(+Hm?Nk^c21^G{?3wZGR@+e6QJB}A6l#ne5Z7iF#IAyTDyJ+!|^;iS1 zz-)%}!bjYzp>+Us$F`c|ua@21rlU3y4!$~mtVxEV<>LwvtL)mZoev&YPE{^pfjsj! z55XB_{Ar}8-e%QLW02Frvr?fYn9=+ECWW|#`}cQeh5%BmY>FVFX9XODChh}v1gW@sN%^!9@gxK@aw{|mSjmJZ zjg49eTf7WjLN`~E6GS5$H^p~Wvc;>`o0VsNJYzCaCG9P>Ym9f!Vq9r=_1=>9J#e}M zWZ08xK&r;NTnV~PW@kxD7+#2ix-$SyI=*i>9g&LKfpY4#%k6kkh?@^zAYq(<1=Oe< zP&dRIlomDo0!t*%S_AJfxbvh3P_zE}bfSv4mU)*C?}UYBoccOMvA&`jgg$}YP6uo> zYK?-!Pn7Uf{TIUTHB(JUDS%9+Q)&%4sSMa4g8vE%0?|jUa35$sc*a^(!;hJ?{%7F7 zo3Xy_;A`4|#ssZO-R59EaPy1dvtUX49LGuVU+~BLiK;|U%WevGPl_5>ewT>GT%gN9 zj(qboN3u-pu&!X=E1*|`FJv_4031Sr-jU-MX>f$0KN+(O4@zA53=c3PlPMp+0-i_* zCycevc(an5VaRJYSe3#*lCEGWyYUZtT9gnd5)=V0fUs=R^}LUBF6aU<`5%DZ%W2@N zl;*V4ECB(UK}3l?(IFLguDB-^9}KYG8&3oE*7<;3*Zex=__-bod#(8o^^bi3W<1_^ z7!r-d5l*xkczK~57gq#TW0d|GShd!p%}FZ&%Z?xFU;KM9|P8d zfZeeQus3FdY+7Ttt=NK5bVoK#~L%=&X$Uk2;pSq~&_vLGIB! zt&+r%#-(tFz=%pC?W4beM7P>ON<>~R5LUb=;)915mQ6D>UE{gq-AofCI7JTsmB=4$ zul-B5wBm_WGZaylJC1TNsMg&{_*K9aon;=GBw9(#5~aN`IEZEv{?cSHPy@bye(Z61 zezN)7=N%d#sl@u{t8P|KQeiJ|D3QIU$W_!fwj@m<`U;+h%!8dW?!(Aaj_NQkJgA@W z&Ht<`YamL@!m7wUn#)>;jTDvfedu2MmgZ`83bVss;9n0u4rP`-x)It93;vO#r>7p{`1Dhj_4k#q4p` z`rfyn3ig5Zfp)WHnk%n4X{XrHRlvSzv8#jBd+NehR|ayLFvCCvHfq>%!}kD#w$3Dm zMP583UcjDdVj#<1PPTF~k5v&AOcD%}af{8ajHdzzLInAGo9G|vDM$p`PDV-W^&v_2 zjJAB3`m8vb^}2h59mEPr8C3xe@Um$eOH_{k)tlxY{viM>_&Lkka;1y50J24s+gn=k zmPiL(7^Q|@aO!*Bf6&4qT>0$TppBf4)VCp2z3c`~=EmjMN9Z`@NO0h&uTu_dDzK=m zzb_wwuc*Ur%4krE-zG`{(ImbKpFncT<%ci@IPaNysqd#rv8G308RYniSyc&Sf3+cb z>rs7S&lrM-Y|jr-FYxgeZcX{_<)!Yk-Yr!}e7nSBx|%2vu?keZWMl(QTaMzof;l^J`f(#Ws( zJC0#G2%V7mwjVqO)_{!ajuOS2i(8|^%{V6?WiY?fab%8!NRR}Q3l=)UZV-~^6o*nJ z!@X{^kQC5dFtv57u2%0k;nm#l5(R&kif31n9fVbNmfM)94jgZ zSi`cg6FQmg#!{A96MO@<7Q7~tV)2(KjkqhhAcH+g=Yo2dNvy8cagr#Aqcu)lU7Vp4 z-2zrDy=$0{)_}N~DGkLrmKPS9@$M#MM2A9KiAD$jTf*5Q+Zu@CBICz4W39}`>vfU| zTzw3=6Tw?VVUTAFDyxRi1YL{dQuuupqe3}tYS^ZT@$Rd7%|s`HgR73PR8vY6!>+2c zb#XfT9TJkP0V!5+3u$W&e$lcgKMfLbTOn>D?tzm+Ue0qY?Enp-5+fc9WHanRl&x>D zKOXOWWULXd*7{R9%GAu~16f|m$DVE4S_sZizI7H1|1mDuSUKKJ za%>`tL4QXZYg68ILjEyk&E_eECQ5@(D6Re5$!nC^;>}r)txyf_C`>x9OCYlmFMIU6 zfv>GikQPW#8GB9;(Hp_wIwri9ijNMx8%5Fwf21y_8B~M??jbNwgUtny`GO1yvs)pC`Pp-H4#vM@9Mo>2xA_BMbNex_^r>s7vN3o3) zS;ScE3%|IZRdZbtOYmj$L+9S!WB>2enOu*7--ed|lCAQx;aKZW>r{#JP`u;QuiL*@ zzAZlL%{PH6U``t3%ndSi+bxc>I?+3P$DX7N`Q-T)o1B2s!`<2Ql9Q3y*Z!{@SC?y{ zigkm&Pl8IS*Gg}vwXJT_-8o#Z>sOAHn}h%Dr`YIb61dBmIBXsCO4#^+jNNYCj65Vt z64Q}m1vxIEO9bfA^{8S@Q$=J6SWo(luQ!y#Z?28KX5owKk;Ng6*3xuKxUKAk@9XPx z9{A4BAuKYB#Z_RgcFp!f2#w}uq6WfsI?yN~=z+G*EE;W-as$CM#2c0qF zdH2JZ)V~#nlDkAJgL5GqNuNUKje?q|idBcNmktbO^)42t@1^)f_E`8K7K{F|dP+1W zuq2jwqOFGjUvwZ_j-u|NBh2INAXc|?&gjjBGQXnTNjuPiT}9D1hp!k?(RJmU!}V6s z0DGb>j!=!c>GOQv`qfdT<#mbuot635f3=gmU~^5(Bh~D!l zul5hpS4tjjsHhqZR-d4}Y|FnqN6u$c_Pe%AmS^w{UQ!RelC^N(J4gIlv453OF;x(s zRg=q2tuv6cV1%---A^6W-F)(-d^}|M*_F@t_J=+`_8f)TUYU`I(QP zB>OIAh{9-ErN@@8QcOJ8%jAoUg1>Qf>#jGIk@vsbS1u3sbIWNjT~gs1J9XkYaDICG zL&%P}nZ8`2@GtfTuTlA&(yS*wIv(DgnX~UzSFhsLGG#yhO7kAH5Fgcqpc_LySP@OW z`ceLPn(7H^Nqrg+#@P0O&ROZGgVyM&dH<|~EZud4DQK#crUm9^(Gk<}X-TmQ>=7AB zSet3ny28D?y5yG=3Bqbb-QlJE)LsO#d|u3q|`pVGe!S_Q5nrJj`X@ChruQOLxIp5+><-G@H)R2}53x&T`bwl;;1}&r zR(uUUvD=m}KIs=lLFXV6IhJNZgbYRedS?Ac6~Uo6mFlQ=Lhp z&nSdS0_tBO6fV7IS5DWdy^y_J?_j0o{^ndW2UUY8#scRL7U+2z z8@5(i_pp_>Sdq!nSe*GhnT{H<{4}H;^XZ3}*o{_4P-|V(BO-|}oVU+0VzhT2v!NB( zDknom<(yf&a-MGUJHSd&;`m=NLnDo5#(|oc;X~}SL4xwPDs}Vh7jj=kD+{IJT_1Y5 zyy9J9pF4l3CdQh^&au^S)Ifffp&w$TS;)eYx8|m);a=J1c}%M&4MfVV9jetz@tG=s z2VdZ_PJ+G6kkush%c1RdiS2|*>Aj}n&W zDl;W~WP7ThI_NRpv8fTb_;hXW)hDSuSP-~10B^MRjdH*d&WRMI0H09A*?y$P+~@}- zV1j#oz#Es19L_VeSr8ofD@d)~vUO!i$xKDR+%wu;$KjPBB)ecK=z=*TZdsV2N3nWF zgC!n}&R^!xO`{MujQdMss;$+`W{%zWLO#m${TDV6-qRZSD^OBT+3A4)#x?WFQ1NLH zHt}{)tAQ!uCr(PcH?p=J)ixM7^&G*Z;{n&QJ!H2d8|}iVXEWk^;m=Q0`zwFRP+??n z2ly@k2jV{o-&kyKH#a;;4s6PVQPpuXzNz|=5|7&$#b<6{1QhIiZ^S?%_eE zm5Qg*Tx@RnYQRV=ER5N=kgsv2l1NSL3CO)vWM!~)4|pERc|z%2nUGyR`bTGa)VFVDvz303Vzs%G ztfr=8!(I}>=2@#bztcEvaD;FISue4!4AH<{eM9ZPmTDQ?vRd~0NTXXeo%})EH}57O zFCjmvxlV&!rU|$9k%c8yWpW!{_Y#^box>x*{Hme~lJ-rYX0LAgn9$(+6<8(FFmu`*MYMe}q`3SW)u5SUbzrka;CBTi&>yq+m{aH=O;A@O{hNmxh!Np&6?A&+TZ_ZKsEdHxn3Kead0y z_?wGrv$05&(YC+|vs`6&30;wga4hKz<@Z ztgh&Fj2}-jE^)UrKk!zrUjNbF!fcK-|FhfY9}=Mf7)2bEXaA<3*}wx9_xesm+!P7F z)Mn77@$lqacpI#sVihP8_nW{}+DM8Ss2eYXV-9X99x(dr0CAC&?#2C?Ss3f3U0 z{VJ0TlLu1nkIGao5&y_G(VUWn+B$Oa#0mD-7RHJRU`b8aXF$x133XNgaY0RqgF*lz zq)M?EqV%GRqeHtw1-0Wc`){@9rP0AB;K{khS~@sJW2Ig<=`8R`uuaSrB9Y zlR{iXBOdEGiQWOfi!uf*mLsX0v`Ap1r2=@-2?l3{vfH=Epe>I8GtYpYoz2jr{?+g# z*z>-rssprFMVh>=Nbf|)Wjy4trt7Jq&aJ^RM_GR2U;^yylCH>BKLQnz|I?5?yp3JJ z25AG6Ua@lWTOR?t1!iqLHZsDH0VQ#;EtepR2+DIF@OQ(!ygL%Tss2FQe%HH6Z=hfVhO?0Xu-30d4Mj zR5!So8d!r|4@C0*O5J#{Dx1xQxC2X^a!V+slCQZsWWXy$j)*uY@3M|FX?`_oz4@A) zK-WJ^A)b=yEmI1W;>87Eo%`9@{w>efAa-ICy>`_t;6yN~`ertma)LnDFku(bfR=x5 zIOl}JU~T$4Bpdk=A3x+;hrCV%R$=cflM+~oNr^(ZsRnCoaAP65sB{{whuy@6I8eT) zp?;ij`Y|4iiIT=1!3&)4;A^l-_B)o?ZnSDtZfxPiC2=bg4%sh84F`P6+Rq}=;~(P| zu(wX|U2?oc=YOJd(&!3fR{G z1)p_Per9e!xAVI|E(j2r?>cV+vcR}7RI0k4PoOEl#mJUI-%5v@<<(Tc6IFR|bg0cw zh50sx@s9klF7!`Og1kA$T%_523^8W)tD%N+z1i(7xb7G4#-vh+Q8AZg$Me8`cQ=j+ zub#!;dZSQ#(B+N;U($dv*|8~#gQ>w4_V)AbBO~#j@}ztM9b7I0OQMb3!gznUpk!&I zb**A6Bfe6|viP6nGzUgr=fE&O|4#cl{U$xzII{~!8&8|aLKD8opjI6iszlXZ(Wb6a z0qL9TVp)HKY)a0HNpLh5q_4ra_^HE6NNIFPL-F54WK)Ia%S)=wP+>kAnl^S4V zKHIMmciZ-Zjv=DL9WEp0@CY%6X;8YLRbl&09By?(mI_1KD*B4!6H>}lkA}Btaq?gR z{&siW$mY0~wcjG~cRR}qz#cQ7Xq;;9SxU&)o6+%ZWbYLk=@858(J#(w-|dC-xg3t& zoWAsFf(n0*f!l3kV>j}lV!9LyNI#Reac*QyJ0~d{vNy;a?=Q}B*;Ao*{2r$GX`32U zeoTRQLl<9~gd@~|J?)l)rH4tg-llbv>pP7p2j&gV4@An1{JrAXTKtj0ds7UJbOjS| zWR^Mr%F@D24e#|W5aHTyPGL;04EI3qiDk7EfODYFK%g%D5E|Rh&9$a|iyzx5>d3Y_ zS4@{ngO|h(4E%U9$@lLe4?qlsgERVkk?ab5<8E6;H96_az3Z6>NS5_$y9 zF=Lg$Z~|J3KE1Z^&~<%z!ui-`0$f1uslDg^z2Eig4lR4C%5}zvOv{OExiNm5orV5Y zkAY9reC)NE>+DX&g8yB!k&c1mj}rJ$l=aE91m1rO#18 z=yv&2AbNyD6tSeKMKJ4|e7j%nC-=@k*9eKjro|*d>aFx|kHg;uwmemg z%755?4kW^@FFPzYxd5v+OtfeJ>}a#7<;4|7RrIHJHwCr?>_DbzydP{6{+)xW{t#^v zAueSVcJ^@qiUX3IJe~%Ee?e$pdhRdFpymObti5(TV7G6}<;mqG>X?uAkeXffAlB#{ zl;^Ori-;BE>Q5UI&0pq|3>@J)Nl_2Z1@6B@lz)q z;VOROX={4aBSvcqKC<%?PrgS{di}X&i?bvrd}k(0{H0p)tUlTvLTO%^S>*}lgwjw5+K%;uxQMcO++MS`Zs){ol6qsrc;g)>K|#{3aX_1! zZRAXK^vo4;Nx>V(B`<&hWe^T$Q{t0=l&Z^_~=}wU%oZptY`&P>4tK< z68@TJY?NVH0(xwO6sE!$qU@oHLI4oFVKf1|9IIB3_v#tjj@BP-{)tmK4V$t*2hCN4 zm<9Ao4mjh9@k9N$yCK32F_6K#Bm}bV+Gc;GAr*!kl@k@J@=wTLZP~g&Bhe-ryqCbn z5U7v4FIi#rcCaXl$!w_6y`48sjdGw1d;(6=dIzx)ZEeDj0@K4$4or|i8Tvf&iRCl0 zvvJQps-W29h$=9-qVPl*`6{5O^Ln@S-DF*ZW=XbZ!qs<48}(9jd;=6qs<~;DVwE zYefy?R8+Bk_W-QFb^IIbM{kz38O|!|J5NI>utard=tq#v`V@RcSDuuEQLT#m@g_<4 z8yDpnXBL)1t2Jn#@jQKLr3QO7hxOHm`yC`5NuQ~T5VBb9G)D2Ov;K?OG!u+HQH1U> zW56q4(vsM3p;}*uFXPSCa25C>YVo)Ur?XOr6$QDTQ;;nOVs5?T)DpW$IY zRm=UDiGtoGIl}G%(JY57F_g_muXekQaH?Y-PfdE!*j#q65Xul3`$S*jx-a&oga+X; zYUtDKi)6>Uw8t)}F<>fIy$&i#y9~(cXrX(Gv-fQD@QZ1Td?y2* zrYTsyr%HujjQ<5pS$O^g*2k>xQhzX++4$jHmF~>TZy$oqPYt==3Mpc$nHrvsd?-K7 zwj_LI)I3G)joY8&Gf6x*bF=D&{C1IiO%fY#@#OVMHIRy_yeOhJeQ4G@kat!Pli^RX zZ&Iv8L7dHo$h_aFk4F?R-0sHq_Y1}{Y<1eli`i&862CoxE}p7z5%h|SMx|0#eYv15 zz)B%8Q%anJ4}4viA8RkIypqqU;wQA=U1R?l$`I6yOG!m%QIshpS;A?y!;wru zfz&R-kYhuXN0!Qv6j0RhCdT;5&6&y)9Jf0r)F$=FejZ2{AL7&_Y`yCKWvP&5(>?0y zAf#bl3W3<1?bUY*9HfKFlkI*M+4RuZq&lbd%^svCZobokjlueb;OFQnk0GSPjol!N z2Gc)R4?uvuosKfiz@gpe!?G*3c1dB=Qm52;AQ$WW4u-A$oou z{Y~{~8Gj)MW6~`&JuBm=FV-n#h(fUd980)J0ag4&#zoMV)<{4C86ZK?DXJG+qlu+f z9eD_3o!ChKiCL99V;{IT&VHhtZx(Ty5)aMz!0utGca65cjK7#vX418dw239*_M!9- z4f?2@3`5*QZR1DD#PtdvYfT=G)S+Kt)0(=Q@;yg+wtmfxG z?nH;yHy_KT#P_LD5kgBV3;;_OPQq9&yX4ucTV;W&x`y=usTVy9P{Q1}ML7VEH>V7? z7(I>NcK0`KNeE(^eWP$Jn^K9rgxa7FV<(-oCP(@l929oxq~w|5})K4g0GS0KT+riLXxla3&QI!?&u6?j0`1V+j1d#k-UYw_y_2e}>Y zIKghmwBO~-xDAXfTbm7yCoxSm!3(#J?X(6W0fgnxQOL11QkV#U388MCar%r$>c5Z{ z-@Z_{8*BzF2$|O7(3WL1%TSC1@PKeUM3N{7QuCuNj&1$bT>d-DZbvx|!giOryzv`v z-~oZHxLXc&)r;ad85Hx~x`-a62=0^JTlturVnF@E&v0bt;T90n5J-+2HYUAbw-e@P zMVrEPj4kxU66bykTS3^+B8~LN5LCm9x@oDrn=Lg~?tSsuje#RM;hMz8eNrI&O$9lbY)r=!xt3G^}xFr$QmXlTi5XFEC4{Oma62`TI*Ve|1FaFQ%S^Q1U@=x!9yG#Yi+FFZ+Hm`nxpTNkM3EpUvOD0{f z$rr_7kEn&0Z$}p>32z1_U4SSB$T@0CD}DY=-$fW zuR^_>G|W;dm0!YPIJVLXIE1oH;ak5R{OPLKLfz-vz@&d)9xLrp?WlmUDHovuAtfAI^|sH6dIWmsFD zw~jl9Au4R3ThzGN=Kpf_n=cO$UUiaESbGh$#8liO%Sz&!bWZPB;F>vBY{FVWPayj&P5Y_XRf#*{G<9&rXgR!&>-&g{d*lU)877 z7>ZJLf4X^b9{ljtL4?42sv7ezZmBwGAJ95aLdKmEm|Ra4NvBy1>`!{n1UCvE!h~^} zyec~mkJ>heuugV9N{86#oWZ5bwA|PR|7+kB?w9YX7MLfQ{&Lk!@c=A#7%4kg&hpAS z(t%fMF=u-`;`WM}4nV4-3$Eu4tX$|KJJYtRyyQb(PnRK@!D_=^UA0JEW+4mBHeJ~c zC6>t&Eu*I;*EW|KeqMToTJIt?5^E`xuhf^^!bfsGT%Dgp!e91imrpXCj5)*Bq==fD zI5PHGQs?I3*DAIBe&-d3PYJu2dX=M(Bi-q)29GWeGcBIC)M+TPZm8!W~(f6C16J31oh4rqekA~ zIa61O!3isB*{V!+>&%BCLJl$(HuI%!ZUvD`l7W}*lg-&Lz5GQfI_&ih)buaSLz78n zGwahA_3QL8JBr8c;m`{DWQN5syg;L(ZBJZM|e!#k6!~AtH zdS>%p6Jr|>EMDa;dDjtnPCXQn* zS8t%o!>&k%?Xnqh21}cBx?8psDD&|9hI{$yuMDsJF*CP8iBuymIwR{47^*6=Gxd6Y z2uqKB`9X$jlWH^WIZ|jPJfme!9m$ZZ#j(bR)q&gK9rx>eU;{EN&!{+8(?c^k!aAZ= zn%|h~A5-m$olav?&RpakzMH;lf5iQ6D;snTzDk|@-JSVN=~cPb+f-8( zSC~_?@KJfc=dT~ZR6Or~(;&vM{EbKrHZ=$>IEarvdm=m@qMvckfwT(`vPbw_M z&TW$5egE1lKyms`s?*XmN?dKRKDxg?yP1uz&JWCOQ1fwJMy;4*k1cvd;Z27U+4X1~{h5*T=Lc4f;Xg-Mle3J4pJLhjl;61> zL=UNM;+i_n{z68Huk`L`UNQv>6*>u1@d=-Sgvw0SEKtXoPnOrH$M;@!VMEcX<0%1@ zGRJb0RWnGk5TJ%%bjYS0pADYo)kvC@VadIfjp_ZY0Tyyf8mGTAm5Mn1~tb6Qcd9fd2d=%JTk@AUgL4k1|`9a|TG3SP=$@(yubK zBa5yjQkfwb;2^lZ5X+7~=9S(!B>1M8F;@Iu}J$|xKqDY?h>^;+sVN-WGYH_S; zh9QpUsVCy&Ok{VNqhIzNKmww(t9+V^%H;`BZ(s*+>W9?0DCR zCAS=~9x%VFvK(%i+uU@z`Q17>f(5x*}ep3328A&c2;%?byHplf47OF#2 z>dsGR+SK7g&mj`E@4F(ZoG3DFl%Jzl+)2cjsKPpv4v(|;;5{S$lT)jTH*yb(dGjqL z8Js2>R29dTWU9Vzy-g814=u1<&FfmVa(@yTuRU%M{y@1P#bRZ_NKsIZMb7$><_Q(` zDJRN|&n6}7QP9fI{T~ZS`>#7EQ_qSjj%dH=W;F>sE+z@zgX(d zLM<4Zb3dz?Jd2u1+Y037*+eoNX}1|_*v5n|BnEOAyd-rkJ(7wma&w!dJW;2xM8VfR zD*Rx!Z;#chRSVEl#Y>L}8jWS;SyooYWfa0kXj(lF&~;LwD(gU`v*M=ukK%6L^$WU4 z!hDtQ=x(3m2aht+$N%2+^gXzN9}!qp0@biwz;YkV4G2CXBt&~frfscVYo2pNWwq&S z@=Rwvw3mq6fFC}i)q3k=hd7tMWXY8%B3WFkd!m(m)m?VrBS#0_xMoswI|eZ`Wz;j{wB}N(0P4+X+O~OOT-~lUyM1*9yu_BR8wC~V)P#VtIQ^jF(#P9^IZRn( zXCi-Zr5_xMYmSA!{rCbYYWA=_)xenRzDGow$#Kn^&4ugV(!l?UZZVnz+urL@wy93~ z-s6G?t_$y??90CHfzEDd7`Ywvb32Qixo_bNA_)TZMg9{IUq-*DX?4s;AP^JnzwZS& zg$>^CghH#Cm!JL3(7!0!nj1ZQYI-0CQ6}iJDgQc;NcxeJj#DuTU;K$|Z2WY+Lu)RG zmdzNM&m39&pksPjgEd(-XAAG+`a7Lf)F5$ zUH4r}v=v2a*Tan*jo|_eH!~GK$ozr?wL3o;>vR zWG?0K`K~Qo(VS76ub+V^QO5S&dD!{c!~Z_L8u`fD(_vGa~d4er2^xGUTUbfde!JH5T; zSi8_7>6uj7v$vE2+KS2PEXK@~w*|RQi`FgvKMci) z(=&vIF#=<8#^W*fY1`P-wJKvG1#NbUFZP@xw|4uUD^H6b_Q~sQB-K8Au$uQML)ew1 z{@oI37-&1LiSLxnr)#P9Zur`_mt*Zf=^W!psNC{W8__d&LlXJFy%iE$;AHZh&-Uak zyf3G?lQe=(m8hxdWR(9;MIQAt0HlTgr-&;LhqC?tn4)Z1i^*;VSt86>24$NuN|r2{ z5W;AfY$3)P*)lSN>{&+PMY3ecHt*ZWzKo?oXp*Ju$}W88{r-Nx>vvtxKj(hVInQ&S z`&{>P-RFEh4_0HQT%o67WHjh<>F4mfRS)$$ZeFTzZ5MwcQ(G16Xt=Ty5wKhUCU281s&5}dMWnf}7+@ksU z>u1XfMvp{w4_d#xY+6J{{^85Vp76`9^V%tJ8xQgZ+ii)d4F|)@lJ?42H3*`enWLXj z!(u)fiw9o{2+eB_@~2||vy}cvcIUp>_pZR z5#w4Z+wy8G>0$)B=*C!PSiT0+2B1AUqPu(Xm<826QffXSiIPYtJ*+t(a#X;J;m*_x=|5hUyF>VG-HNc8GLFc z+}TY*ZA623{IoNgg(hkD-P~$w{@d^ibx}OVN7hRwD@yOTsrvEYD=t9_RS&>t+_A=q*6?H?EOcMS_nEPtqUAF&uyVS;FH4j^RGcp*)+F3U>&c~KxM&&IbRv9lkKnj;P}b3&2ZeHloO^qt0K$L~#;>QM{|h6`S^e!V>0iAu zsAm1w421y-Tl*nKqfV;TSvw-@1y;6MlAswh*-(xpBIPYNRm<>L zW3S19*0o#GcQ&wKkPn<2reGoBBqj3VqEKexF*bS8Lt;~@cK6R^3;Dv(Ip2ASI)SRw zSjLeywSzhPMoUW-k#H4QR2A#0&OW?xW950GEbS|+*{Sw0i+gZm*tO);)u#@lu+)#1 zIYF80cvX=14PiOGFC80<58mYh)U8m-u<(+Jwq}x z+!nB6-eV89h7UYy_k{67XX*ieLf!P6V}W{mN^)zb0iJ}TVC$DPUsN!iE^^crkNUk? z`!Pg=h{ZJhLh8{k|M`aYVCtz#@?o)Hh}fy{PvU`GSzGBn(H)b*ItF*4ZC^ND0qa>4 zshTXWCe#Vn)rU6D#{c*mx*07TU5jpw(i{5jxoa!8-m5Y)Xf2@7ct+`LKPXpQ39=gB zfO+yUGnbGkoAn8jlN2F0G=rDB`vjn>Atqo|7TZ%u-n=}Fo=#>-y{^A6y39oq5_XPE zXIBJzw+ z81)QJ))WJ$q)6FZw@}_+$)`N|{8hAA3sl`%NNXd5ZjF*~VA1)}XV{%La?u1%+TDf^ zbr$`|*5q7UYdj0~K5kKdQ7oKend7+~CZKvC60J?bcYmAz+OEUi-)W^KeDL!*t0CK= zKhu=t>$Bj-c3E2|PDy7Y)SIWr)J%auxA@}13A3_qy5IWJ-0H3h?U+T*Gru>lTwNKe zzG1p5nI8DZQlQ0kJI|?1OgB*VkdmpAI81sWhzIi+SL6_WkKpw?&4jAE)TiTZn+Xpk1-`q|zKR!^xLOwD z7_U7nYXJy3=RT@}L4*mkYb=w4WLq-&D%=ET0z5${e9Qgb9(D!W`cCn%qJ}1zm1|2H zR}U)rpZZtKCx-d`i=&le{yl|**MQ@Qq(`l%UoHwXXO39mP6IV)x!aUbi52ORVSKNT2$zv8%sW7^$yhs=pHf=8_{9X(>8x!*=R-HXY8&M zNsVODlAKO+i<~}R6=;k+_mZUFCsM1njV>D%4%NN#-hfl$3t|1K2Y|ZbNvRR6qA4Y0 zJafDJRdxF#YH2Ei6C)yRX(+VO7kgJ2(GXn;h7~4UxVq>nLxH<+=EJ)8SN3m}Hd2O3a_1xvzNRU1J{-pL^X^g;Ef5x$K|GU-cVPLvLfX!fyn0VaZa&cZlzKTGs z&yDjHUBw&TAdHYS!Qgpm1}a9o{J@Qkjl*@xsp15oV%4uw8&j|rmYw=L^v2+6r4iOg z%j)sX2OD-I^dtOf2i5b^GGy#jqFx#JvOSsf+r(4zfZr=9)yB7i@N^=<1B5O6hTZCd)~aQ2 zM_$dGj>{>ko5S~sUddrD^W)U_Xm{xr(L9I$aY(?beC#gRQz0(7mryc~9*i|B!c8M; zPV?fZ{Bfko*>huq#k7Oj3(~Of-R`3H&l=BX!@f|R0~98A>w#5(&Vh%P_Xh0H>;2a- zh-OY1FVu@E2k|kxZDVX*!RcvPKDSIoQ&RZb@v;FWX&7l>kKtM|u5>a31>V-@@)oi` zOE}UFO=bJ^*2kD#HnfTK!9T-|;~>BT&ZR!cS}R?R|54-=58TE?hDq->LLS?;Z_x?> zS9b&3nEwD@yM(q<_FRO<-LBW~4BESi+CE}!H(wGqQ}6p}-Y{d_>mi4+`}kA)MzTVQ z=7B2JXzfa7S-3tFXZ3i^W9&A`t2lZcH6}*-o-=V|qyC9=Oy#L+)@o?6A=gk5LgS?XhiOEi*x{GvLBCx%+BLs|TuD@z2@cnZ$^^~A^#rO4mYV{*XB~C8YfvYcm78w4 z{5B|9=u)euLZRscNtoDJ1JBV6=wYU#iK24Qp42G2L;58% zZ~##Eg6Eg0p(W!q>x%;vnbo&|dmPkk@|_GDrGUhU7)P{s6(yibOF5@R)t<7u2VG}5 zG4NK=)l<$fog-0x&H2-18agsp0&ZE^%)ncR>v_z~yLjBk?fB}N0!E4DuOPgy|6s|2 zlpvxdB^m3r;1__>M!trm3AH+bK2LnwUI@uod`~hx1M>^^?|&j(H50N z-kw(^j#V`B?HPV%iI+uNZYhFp$27%g+QNzKJ_5edRPbEvyrO&xn4(*|^5bAt1t||w zkREqYv7DS>4ZEU|1loC#LBL}{z5qYXMFg?V#LDKb@MPAmbcza!t>1J|3Tfl+?)E^7 zxWCsfe%c1kNN1>j1G#!c@DKKbGx9PB3**#Ze`UyV3g=x$5HTNnyMH}oeaQvaY#1HdP-Z{+wB2r#JL3*X{ zC&eDkAaH;g)&{kzwfn4q`=xaYHg_;Uq`anr^m8xJI~GQRipuE_6S-XpcRpyy&j5z2k-q%4z2OEfakxnUc_I1`Sq8X)%PbkeP<;e}qXufbR zW!XdEE60OlOs+*pvdqhqSr&DEQ5e)tul-CV+bh5no5V*Qx(4|HnVR8+B$}21GYEzW zxW}cuG4o1{g7XSRVw~1xTikkLOJ}D)cD{Iw3kbo0yOiH8WVq#uKw>A!?5?Z*=fatMRaB0- zA~(J=8lPO`j-%A-^LN=DIKu$@Qq&Vu;uzDRm2ilJ@A(?<$=jT^G~S!pYGo(6WEody z7@+B;5a>%Z#K`B9uTE#HhE1{UM!QYoqMG3D>le@iT&A%x|U!t@% z$tFyGLD8A%*bpiRY3#3aZS)~?go&cr#mN)04Tav2nAMCV0;fT9PS!AA-A?iT4>_EQ z(l3#b=En<}Ae$bkVuLMSSNrN$N)qxQjk!uQBCwZ-j-#xuVtVT`E3zk6KEoA@xcl(Z zNT8>5g8K)%s0(1Uu$;Jrhj-UA}wY5_#bLLG)o2UUl;!Mjbz9207cq%QA`<3Aew z%!iM-{I@{y>M3_|S|X?%^p?%(40kWL)dL?kC{tezBegRA;d6bkb8S+e*bm6?BiM|a^f(`Wx&gC&3-(iA0jicws2ZuD{>x`p6L4|Bj* zDt`$;3|(J z=UESyugJj~_N=r#ec~9xFyRRPoET8QxB29nn!skeX$ql7t0c$w&6`k-IJr;z_k(!o zE>bu7RkF&$!lWRUOGEAs81{0w$e8tp_8@zCWBv*j z?ZX-C`Y*8c(8TW@>>K=_36wWCe~%G!3mos>SkgNk1ujiC$aqT-U7!Ar!YO(aXROn; znooJNSv9F&g7USvBU~v3)kJ3j94rrZ+~`*RY!h!6En3&Oi6u^oQc&PVu4sw#C+2Fv zb4JLChmVA)HQzZV_1PCk$?&9RMS0|M=K?uxem7E)=t6n?7YKm#j+k?6N|czV>rVA*TXAMju6gNrc+q%g*nM)@(Q7{=1ck8Ys3n z=7@rNtX$2fDpw_lCCmF~sJN}XRS8H#?0$Qu8yf*+LqkW~(vulOzmTrgvzg@zbZ9gKH zCS*_6k-Oyf!VQpC;&_&;lH5X$=JlU}X*p$R5`&L0#FU$ORT5VsLj(zqXu78D!d*Y^ zsygc(EOA14mkJ#XIo)!j`l7b7i$KU77m%;EuZACS7e#L&*W3uet8xNTSli9=pu^nL z9C?XrZ%gz7%$!2&ViF7ymzdcA_o5=16ryoa<3@t+_pZOCp1H;B!4ePPh?=B?*Re5h zb{#D1D_xM1xcNev9dCADfonhd+1~J-qM-n_%JEw~xq^Zmt>y!aZT5EQMkP{u zrjMA|`05O!x}snS`T^k0{isMgt3<6bWVi-<*6n`!8>*ItS!LLxGx>l?FN)%Z&0Jn1 wI?;Uqop9`45zVGhkOo2$|NmM`J_WRkINAU6iB!$_i7XS+__ono1Lvpz0l=s8H2?qr From b695eb0d17c6f8ea49e7f190e9d19fddf84eed21 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 13 Dec 2018 11:20:19 +0000 Subject: [PATCH 20/24] Clarify example --- proposals/1442-state-resolution.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 64a74d962db..76abacce475 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -488,7 +488,7 @@ event. # Appendix -## Example 1 +## Example 1 - Mainline The following is an example room DAG, where time flows down the page. We shall work through resolving the state at both _Message 2_ and _Message 3_. @@ -545,7 +545,7 @@ auth checks, and so the last topic, _Topic 4_, is chosen. This gives the resolved state at _Message 3_ to be _Topic 4_. -## Example 2 +## Example 2 - Rejected Events The following is an example room DAG, where time flows down the page. The event `D` is initially rejected by the server (due to not passing auth against the @@ -553,9 +553,12 @@ state), but does pass auth against its auth chain. ![state-res-rejected.png](images/state-res-rejected.png) +(Note that the blue lines are the power levels pointed to in the event's auth +events) + At `F` we first resolve the power levels, which results in `E`. When we then go -to resolve the topics against the partially resolved state Bob has ops, and so -the resolved state include the topic change `D`, even though it was initially +to resolve the topics against the partially resolved state, Bob has ops and so +the resolved state includes the topic change `D`, even though it was initially rejected. From 463c71af829a7ec6d663f4268266022a09521e0c Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 13 Dec 2018 11:31:39 +0000 Subject: [PATCH 21/24] Add a note about the examples --- proposals/1442-state-resolution.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 76abacce475..c6ae5e70188 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -488,6 +488,10 @@ event. # Appendix +The following are some worked examples to illustrate some of the mechanisms in +the algorithm. In each we're interested in what happens to the topic. + + ## Example 1 - Mainline The following is an example room DAG, where time flows down the page. We shall From 48d271e58c50c618cc98a2650455186ac5929931 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 14 Dec 2018 11:22:32 +0000 Subject: [PATCH 22/24] Clarifications --- proposals/1442-state-resolution.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index c6ae5e70188..021990040b1 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -449,8 +449,9 @@ event (rather than based on their auth chain) are handled as usual by the algorithm, unless otherwise specified. Note that no events rejected due to failure to auth against their auth chain -should appear in the process, as they should not appear in state (and the -algorithm only uses events in one of the state sets or their auth events). +should appear in the process, as they should not appear in state (the algorithm +only uses events that appear in either the state sets or in the auth chain of +the events in the state sets). This helps ensure that different servers' view of state is more likely to converge, since rejection state of an event may be different. This can happen if @@ -461,7 +462,7 @@ consistent view of the state of the room. If the view of the state on different servers diverges it can lead to bifurcation of the room due to e.g. servers disagreeing on who is in the room. -Intuitively using rejected events feels dangerous, however: +Intuitively, using rejected events feels dangerous, however: 1. Servers cannot arbitrarily make up state, since they still need to pass the auth checks based on the event's auth chain (e.g. they can't grant themselves From 39f7c779713d92829085c5ad49b9f0d58432a774 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 14 Dec 2018 13:09:25 +0000 Subject: [PATCH 23/24] Add dot for image file --- proposals/images/state-res-rejected.dot | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 proposals/images/state-res-rejected.dot diff --git a/proposals/images/state-res-rejected.dot b/proposals/images/state-res-rejected.dot new file mode 100644 index 00000000000..d93af632e02 --- /dev/null +++ b/proposals/images/state-res-rejected.dot @@ -0,0 +1,23 @@ +digraph Rejected { + rankdir=BT; + + // Events + A[label="A: Alice ops Bob"]; + B[label="B: Alice deops Bob"]; + D[label="D: Bob sets topic"]; + E[label="E: Alice reops Bob"]; + + // Prev events + B -> A; + C -> B; + D -> C; + E -> C; + F -> D; + F -> E; + + // Auth Events + + B -> A [color=blue,style=bold]; + D -> A [color=blue,style=bold]; + E -> B [color=blue,style=bold]; +} From 8fb2bd292726656777393eb9bb1a91414d59e8e7 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Tue, 18 Dec 2018 09:47:06 +0000 Subject: [PATCH 24/24] Fix typo --- proposals/1442-state-resolution.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/proposals/1442-state-resolution.md b/proposals/1442-state-resolution.md index 021990040b1..97cd66ba036 100644 --- a/proposals/1442-state-resolution.md +++ b/proposals/1442-state-resolution.md @@ -471,12 +471,12 @@ Intuitively, using rejected events feels dangerous, however: that allows said event. A malicious server could therefore produce a fork where it claims the state is that particular set of state, duplicate the rejected event to point to that fork, and send the event. The - duplicated event would then pass the auth checks. Ignoring rejected events would therefore not - eliminate any potential attack vectors. + duplicated event would then pass the auth checks. Ignoring rejected events + would therefore not eliminate any potential attack vectors. -Rejected auth events are deliberately excluded from use in the iterative auth checks, as -auth events aren't re-authed during the iterative auth checks (although non-auth events are.) -list. +Rejected auth events are deliberately excluded from use in the iterative auth +checks, as auth events aren't re-authed (although non-auth events are) during +the iterative auth checks. ### Attack Vectors