From 699bf22adf5ef8772a8c564ad8e56deaf3bc3d15 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 19:57:31 -0800 Subject: [PATCH 01/35] feat: new articles and reorganization --- _includes/header.html | 7 +- _includes/hero.html | 2 +- content/FAQ.md | 6 + content/FEATURES.md | 48 +++++++ content/IMAGES.md | 8 -- content/INDEX.md | 59 +------- content/INSTALL.md | 194 +++++++++++++++++++++++++- content/{SECURITY.md => REPORTING.md} | 0 content/articles/ARTICLES.md | 5 +- content/articles/FLATPAK.md | 25 ++++ content/articles/USERNS.md | 2 +- 11 files changed, 284 insertions(+), 72 deletions(-) create mode 100644 content/FEATURES.md rename content/{SECURITY.md => REPORTING.md} (100%) create mode 100644 content/articles/FLATPAK.md diff --git a/_includes/header.html b/_includes/header.html index 76650195..b6786dd3 100644 --- a/_includes/header.html +++ b/_includes/header.html @@ -2,15 +2,16 @@ diff --git a/_includes/hero.html b/_includes/hero.html index 660c0cf2..080f76e2 100644 --- a/_includes/hero.html +++ b/_includes/hero.html @@ -2,7 +2,7 @@

secureblue

-

Offering hardened operating system images and the hardened-chromium package. Developed collaboratively as an open source project.

+

A security-focused desktop and server linux operating system.

Get secureblue
diff --git a/content/FAQ.md b/content/FAQ.md index 6d6cb34b..4f84e2e4 100644 --- a/content/FAQ.md +++ b/content/FAQ.md @@ -32,6 +32,7 @@ Table of contents: - [Why won't `hardened-chromium` start on Nvidia?](#hardened-chromium-start-nvidia) - [Why don't some websites that require JIT/WebAssembly work in `hardened-chromium` even with the V8 Optimizer toggle enabled?](#hardened-chromium-exceptions) - [Why don't extensions work in `hardened-chromium`?](#hardened-chromium-extensions) +- [How do I customize secureblue?](#customization) #### Why is Flatpak included? Should I use Flatpak? {: #flatpak} @@ -209,3 +210,8 @@ Extensions in `hardened-chromium` are disabled by default, for security reasons \ \ If the extension you installed doesn't work, it is likely because it requires WebAssembly (WASM) for some cryptographic library or some other optimizations (this is the case with the Bitwarden extension). To re-enable JavaScript JIT and WASM for extensions, enable the feature `chrome://flags/#internal-page-jit`. + +#### How do I customize secureblue? +{: #customization} + +If you want to add your own customizations on top of secureblue, you are advised strongly against forking. Instead, create a repo for your own image by using the [BlueBuild template](https://github.com/blue-build/template), then change your `base-image` to a secureblue image. This will allow you to apply your customizations to secureblue in a concise and maintainable way, without the need to constantly sync with upstream. For local development, [building locally](/contributing#building-locally) is the recommended approach. \ No newline at end of file diff --git a/content/FEATURES.md b/content/FEATURES.md new file mode 100644 index 00000000..6dd35997 --- /dev/null +++ b/content/FEATURES.md @@ -0,0 +1,48 @@ +--- +title: "secureblue features" +description: "List of secureblue features" +permalink: /features +--- + +# Features + +## Exploit mitigation +- Installing and enabling [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally, including for flatpaks. [Thanks to rusty-snake's spec](https://github.com/rusty-snake/fedora-extras) +- Installing [hardened-chromium](https://github.com/secureblue/hardened-chromium), which is inspired by [Vanadium](https://github.com/GrapheneOS/Vanadium). [Why chromium?](https://grapheneos.org/usage#web-browsing) [Why not flatpak chromium?](https://forum.vivaldi.net/post/669805) +- Setting numerous hardened sysctl values [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/hardening.conf) +- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) [details](/articles/kargs) +- Configure chronyd to use Network Time Security (NTS) [using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) +- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved +- Installing usbguard and providing `ujust` commands to automatically configure it + +## Filling holes in the linux security posture +- Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh), replacing functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries), and remove `sudo`, `su`, and `pkexec` entirely in favor of `run0` [why?](https://mastodon.social/@pid_eins/112353324518585654) +- Disable Xwayland by default (for GNOME, Plasma, and Sway images) +- Mitigation of [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger) via `ujust toggle-bash-environment-lockdown` +- Require wheel user authentication via polkit for `rpm-ostree install` [why?](https://github.com/rohanssrao/silverblue-privesc) +- Disable install & usage of GNOME user extensions by default +- Disable KDE GHNS by default [why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/) +- Removal of the unmaintained and suid-root fuse2 by default +- Disabling unprivileged user namespaces by default for the unconfined domain and the container domain [why?](/articles/userns) + +## Security by default +- Disabling all ports and services for firewalld +- Use HTTPS for all rpm mirrors +- Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned` +- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default + +## Reduce information leakage +- Adds per-network MAC randomization +- Disabling coredumps + +## Attack surface reduction +- Blacklisting numerous unused kernel modules to reduce attack surface [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf) +- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions +- Disable and mask a variety of services by default (including cups, geoclue, passim, and others) + +## Security ease-of-use +- Installing bubblejail for additional sandboxing tooling +- Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives +- Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives +- Toggles for controlling access to (unprivileged user namespaces)[/articles/userns] via SELinux +- Toggles for a variety of the hardening set by default, for user convenience (`ujust --choose`) \ No newline at end of file diff --git a/content/IMAGES.md b/content/IMAGES.md index c3d04d01..09606675 100644 --- a/content/IMAGES.md +++ b/content/IMAGES.md @@ -9,17 +9,9 @@ permalink: /images Table of Contents - [Desktop](#desktop) - - [Recommended](#recommended) -- - - [Silverblue](#silverblue) - - [Stable](#stable) -- - - [Kinoite](#kinoite) -- - - [Sericea](#sericea) - - [Beta](#beta) -- - - [Wayfire](#wayfire) -- - - [Hyprland](#hyprland) -- - - [River](#river) -- - - [Sway](#sway) - - [Experimental](#experimental) -- - - [Cosmic](#cosmic) - [Server](#server) *`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau.* diff --git a/content/INDEX.md b/content/INDEX.md index 38e35fad..6d5287ef 100644 --- a/content/INDEX.md +++ b/content/INDEX.md @@ -1,65 +1,16 @@ --- title: "secureblue: Hardened Fedora Atomic and Fedora CoreOS images" -description: "secureblue offers hardened operating system images based on Fedora Atomic Desktop and Fedora CoreOS" +description: "Hardened operating system images based on Fedora Atomic Desktop and Fedora CoreOS" permalink: / --- -secureblue offers hardened operating system images generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with selinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a hardened system. However, out of the box it's lacking hardening in numerous other areas. This project's goal is to improve on that significantly. +# About -The project also maintains [hardened-chromium](https://github.com/secureblue/hardened-chromium), a hardened fork inspired by GrapheneOS's [Vanadium](https://github.com/GrapheneOS/Vanadium), using [Fedora's Chromium](https://src.fedoraproject.org/rpms/chromium) as a base, intended for use with [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) as packaged and provided by secureblue. In fact, hardened-chromium is included in the secureblue desktop images. +secureblue is a security-focused desktop and server linux operating system, developed as an open-source project. It is shipped as a set of [OCI](https://en.wikipedia.org/wiki/Open_Container_Initiative) container images, which are generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with SELinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a secure desktop system. However, the security posture of desktop linux is broadly and significantly lacking. The goal of secureblue is to build a maximally secure linux operating system by proactively increasing defenses against the exploitation of both known and unknown vulnerabilities while avoiding sacrificing usability for most use cases where possible. For more details, see the features list. -# Scope +# Who is secureblue for? -secureblue applies hardening with the following goals in mind: - -- Increase defenses against the exploitation of both known and unknown vulnerabilities. -- Avoid sacrificing usability for most use cases where possible. -- Avoid sacrificing tangible security for "privacy", as that's often a euphemism for security theater. - -For hardened-chromium, these goals are extended to specifically include the following: - -- Desktop-relevant patches from Vanadium. -- Changes that make secondary browser features opt-in instead of opt-out (for example, making the password manager and search suggestions opt-in). -- Changes that disable opt-in metrics and data collection, so long as they have no security implications. - -The following is out of scope across all secureblue projects: - -- Any novel functionality that is unrelated to security. -- Anything related to "degoogling" chromium. For example, we will not be replacing [hardened-chromium](https://github.com/secureblue/hardened-chromium) with Brave or ungoogled-chromium. Both of them make changes that sacrifice tangible security for "privacy", such as enabling MV2. [why?](https://developer.chrome.com/docs/extensions/develop/migrate/improve-security) - -# Hardening - -- Installing and enabling [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) globally, including for flatpaks. [Thanks to rusty-snake's spec](https://github.com/rusty-snake/fedora-extras) -- Installing [hardened-chromium](https://github.com/secureblue/hardened-chromium), which is inspired by [Vanadium](https://github.com/GrapheneOS/Vanadium). [Why chromium?](https://grapheneos.org/usage#web-browsing) [Why not flatpak chromium?](https://forum.vivaldi.net/post/669805) -- Setting numerous hardened sysctl values [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/hardening.conf) -- Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh), replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries), and remove `sudo`, `su`, and `pkexec` entirely in favor of `run0` [why?](https://mastodon.social/@pid_eins/112353324518585654) -- Disable Xwayland by default (for GNOME, Plasma, and Sway images) -- Mitigation of [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger) via `ujust toggle-bash-environment-lockdown` -- Disabling coredumps -- Disabling all ports and services for firewalld -- Adds per-network MAC randomization -- Blacklisting numerous unused kernel modules to reduce attack surface [details](https://github.com/secureblue/secureblue/blob/live/files/system/etc/modprobe.d/blacklist.conf) -- Enabling only the [flathub-verified](https://flathub.org/apps/collection/verified/1) remote by default -- Sets numerous hardening kernel arguments (Inspired by [Madaidan's Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)) [details](/articles/kargs) -- Require wheel user authentication via polkit for `rpm-ostree install` [why?](https://github.com/rohanssrao/silverblue-privesc) -- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions -- Installing usbguard and providing `ujust` commands to automatically configure it -- Installing bubblejail for additional sandboxing tooling -- Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved -- Configure chronyd to use Network Time Security (NTS) [using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) -- Disable KDE GHNS by default [why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/) -- Disable install & usage of GNOME user extensions by default -- Use HTTPS for all rpm mirrors -- Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned` -- Disable a variety of services by default (including cups, geoclue, passim, and others) -- Removal of the unmaintained and suid-root fuse2 by default -- Disabling unprivileged user namespaces by default for the unconfined domain and the container domain [why?](/articles/userns) - -# Customization - -If you want to add your own customizations on top of secureblue, you are advised strongly against forking. Instead, create a repo for your own image by using the [BlueBuild template](https://github.com/blue-build/template), then change your `base-image` to a secureblue image. This will allow you to apply your customizations to secureblue in a concise and maintainable way, without the need to constantly sync with upstream. - -For local development, [building locally](/contributing#building-locally) is the recommended approach. +secureblue is for those whose first priority is using linux, and second priority is security. secureblue does not claim to be the most secure option available. We are limited in that regard by the current state of desktop linux standardization, tooling, and upstream security development. What we aim for instead is to be the most secure option for those who already intend to use linux. As such, if security is your first priority, secureblue may not the best option for you. # Support and community diff --git a/content/INSTALL.md b/content/INSTALL.md index 61226929..e48d29cc 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -4,7 +4,7 @@ description: "Steps to install secureblue" permalink: /install --- -The recommended method to install secureblue is to first install a Fedora Atomic ISO and then rebase to a secureblue image, or to first install Fedora CoreOS if you want to use securecore server images. Unless specified otherwise, secureblue is used to refer to both the secureblue set of images and the securecore set of images, for the sake of brevity. The install script presented in a later step lets you choose between them. +To install secureblue, you will use a Fedora Atomic (or CoreOS, for securecore) ISO to install Fedora Atomic, then rebase to a secureblue image using the installer. Unless specified otherwise, secureblue is used to refer to both the secureblue set of images and the securecore set of images, for the sake of brevity. The install script presented in a later step lets you choose between them. Following the recommended method, you *must not* rebase from a Fedora Atomic Desktop install to securecore, or from a Fedora CoreOS install to secureblue, or from secureblue to securecore or vice-versa. @@ -43,7 +43,7 @@ Before rebasing and during the installation, the following checks are recommende To rebase a Fedora Atomic or Fedora CoreOS installation to a secureblue image, download the script below. This script does not install secureblue into the existing system. It rebases (fully replaces the existing system) with secureblue. -[![Download](https://shields.io/badge/-Download-blue?style=for-the-badge&logo=download&logoColor=white)](https://github.com/secureblue/secureblue/releases/latest/download/install_secureblue.sh) +Download secureblue installer Then, run it from the directory you downloaded it to: @@ -55,4 +55,192 @@ bash install_secureblue.sh After installation, [yafti](https://github.com/ublue-os/yafti) will open. Make sure to follow the steps listed carefully and read the directions closely. -Then follow the [post-install instructions](/post-install). \ No newline at end of file +Then, follow the following steps in order: + +- [Subscribe to secureblue release notifications](#release-notifications) +- [Set NVIDIA-specific kargs if applicable](#nvidia) +- [Enroll secureboot key](#secureboot) +- [Set hardened kargs](#kargs) +- - [32-bit support](#kargs-32-bit) +- - [Force disable simultaneous multithreading](#kargs-smt) +- - [Unstable hardening kargs](#kargs-unstable) +- [Setup USBGuard](#usbguard) +- [GRUB](#grub) +- - [Set a password](#grub-password) +- [Create a separate wheel account for admin purposes](#wheel) +- [Setup system DNS](#dns) +- [Bash environment lockdown](#bash) +- [LUKS TPM2 Unlock](#luks-tpm2) +- [Validation](#validation) +- [Optional: `hardened-chromium` Flags](#hardened-chromium-flags) +- [Read the FAQ](#faq) + +## Subscribe to secureblue release notifications +{: #release-notifications} + +[FAQ](/faq#releases) + +## Set NVIDIA-specific kargs if applicable +{: #nvidia} + +If you are using an `nvidia` image, run this after installation: + +``` +ujust set-kargs-nvidia +``` + +You may also need this (solves flickering and luks issues on some NVIDIA hardware): + +``` +rpm-ostree kargs \ + --append-if-missing=initcall_blacklist=simpledrm_platform_driver_init +``` + +## Enroll secureboot key +{: #secureboot} + +``` +ujust enroll-secure-boot-key +``` + +## Set hardened kargs +{: #kargs} + +[!NOTE] +Learn about the hardening applied by the kargs set by the command below [here](/articles/kargs). + +``` +ujust set-kargs-hardening +``` + +This command applies a fixed set of hardened boot parameters, and asks you whether or not the following kargs should *also* be set along with those (all of which are documented in the link above): + +### 32-bit support +{: #kargs-32-bit} + +If you answer `N`, or press enter without any input, support for 32-bit programs will be disabled on the next boot. If you run exclusively modern software, chances are likely you don't need this, so it's safe to disable for additional attack surface reduction. + +However, there are certain exceptions. A couple common usecases are if you need Steam, or run an occasional application in Wine you'll likely want to keep support for 32-bit programs. If this is the case, answer `Y`. + +### Force disable simultaneous multithreading +{: #kargs-smt} + +If you answer `Y` when prompted, simultaneous multithreading (SMT, often called Hyperthreading) will be forcefully disabled, regardless of known vulnerabilities in the running hardware. This can cause a reduction in the performance of certain tasks in favor of security. + +### Unstable hardening kargs +{: #kargs-unstable} + +If you answer `Y` when prompted, unstable hardening kargs will be additionally applied, which can cause issues on some hardware, but are stable on other hardware. + +## Setup USBGuard +{: #usbguard} + +*This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard.* + +``` +ujust setup-usbguard +``` + +## GRUB +{: #grub} + +### Set a password +{: #grub-password} + +Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters. + +To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries. + +1. `run0` +2. `grub2-setpassword` + +GRUB will prompt for a username and password. The default username is root. + +If you wish to password-protect booting existing entries, you can add the `grub_users root` entry in the specific configuration file located in the `/boot/loader/entries` directory. + +## Create a separate wheel account for admin purposes +{: #wheel} + +Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like: + +- https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#LD_PRELOAD +- https://www.kicksecure.com/wiki/Root#Prevent_Malware_from_Sniffing_the_Root_Password + +{% include alert.html type='caution' content='If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.' %} + +1. `run0` +2. `adduser admin` +3. `usermod -aG wheel admin` +4. `passwd admin` +5. `exit` +6. `reboot` + +{% include alert.html type='note' content='We log in as admin to do the final step of removing the user account\'s wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.' %} + +5. Log in as `admin` +6. `run0` +7. `gpasswd -d {your username here} wheel` +8. `reboot` + +When using a non-wheel user, you can add the user to other groups if you want. For example: + +- use libvirt: `libvirt` +- use `adb` and `fastboot`: `plugdev` +- use systemwide flatpaks: `flatpak` +- use usbguard: `usbguard` + +{% include alert.html type='note' content='You don\'t need to login using your wheel user to use it for privileged operations. When logged in as your non-wheel user, polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling run0.' %} + +## Setup system DNS +{: #dns} + +Interactively setup system DNS resolution for systemd-resolved (optionally also set the resolver for hardened-chromium via management policy): + +``` +ujust dns-selector +``` + +NOTE: If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case. + +## Bash environment lockdown +{: #bash} + +To mitigate [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger), run: + +``` +ujust toggle-bash-environment-lockdown +``` + +## LUKS TPM2 Unlock +{: #luks-tpm2} + +{% include alert.html type='warning' content='Do not use this if you have an AMD CPU.' %} + +To enable TPM2 LUKS unlocking, run: + +``` +ujust setup-luks-tpm-unlock +``` + +Type `Y` when asked if you want to set a PIN. + +## Validation +{: #validation} + +To validate your secureblue setup, run: + +``` +ujust audit-secureblue +``` + +## Optional: `hardened-chromium` Flags +{: #hardened-chromium-flags} + +The included [hardened-chromium](https://github.com/secureblue/hardened-chromium) browser has some additional settings in `chrome://flags` you *may* want to set for additional hardening and convenience (can cause functionality issues in some cases). + +You can read about these settings [here](https://github.com/secureblue/hardened-chromium?tab=readme-ov-file#post-install). + +## Read the FAQ +{: #faq} + +Lots of important stuff is covered in the [FAQ](/faq). AppImage toggles, GNOME extension toggles, Xwayland toggles, etc. diff --git a/content/SECURITY.md b/content/REPORTING.md similarity index 100% rename from content/SECURITY.md rename to content/REPORTING.md diff --git a/content/articles/ARTICLES.md b/content/articles/ARTICLES.md index 389cfda4..1a927f41 100644 --- a/content/articles/ARTICLES.md +++ b/content/articles/ARTICLES.md @@ -8,5 +8,6 @@ The main documentation for secureblue is at the top-level of the site, accessibl Other articles on assorted topics related to secureblue: -- [userns](/articles/userns) - Brief overview of what are user namespaces in Linux, why is the feature considered a security risk and how is it handled in secureblue. -- [kargs](/articles/kargs) - List and brief explanation of the hardening kargs that the `ujust set-kargs-hardening` command can set. +- [User Namespaces](/articles/userns) - Brief overview of unprivileged User Namespaces, the security risk they enabled and how secureblue handles that risk. +- [Kernel Arguments](/articles/kargs) - List and brief explanation of the hardening kargs that the `ujust set-kargs-hardening` command can set. +- [Flatpak](/articles/flatpak) - Flatpak: the good, the bad, the ugly. diff --git a/content/articles/FLATPAK.md b/content/articles/FLATPAK.md new file mode 100644 index 00000000..3cd765e2 --- /dev/null +++ b/content/articles/FLATPAK.md @@ -0,0 +1,25 @@ +--- +title: "Flatpak | secureblue" +description: "Flatpak: the good, the bad, the ugly" +permalink: /articles/kargs +--- + +# Flatpak + +Flatpak is an application packaging and distribution system for desktop linux. It uses bubblewrap under the hood to sandbox those applications and provide desktop linux with a de-facto standard sandboxing and permissions system. However, it has flaws and its sandboxing strength can vary significantly depending on how it is configured. secureblue addresses these flaws in a couple different ways. + +As with any application sandboxing system, flatpaks should be scoped down by default to as few permissions as they need to function. Even better, permissions should be granted directly by the user at app runtime like in android. Sadly, neither of these are the case today. Flatpak manifest maintainers define the set of permissions they believe to be necessary and sufficient for operation of their applications. When a flatpak is installed by a user, the flatpak's permissions default to those defined by the manifest. + +This is of course not ideal, but it's also not a reason to abandon flatpak entirely. There are many ways we can mitigate this issue: + +- users should configure permissions to their liking +- users should submit default permissions changes to upstream flatpaks at their repos. +- developers should overhaul flatpak and xdg portals to introduce a better permissions model + +What secureblue does in this case is provide a mitigation along the lines of the first option. We provide a `ujust` command to strip flatpaks of permissions by default, such that the user will need to specifically and deliberately grant permissions required by each application: + +``` +ujust flatpak-permissions-lockdown +``` + +This is not enabled out of the box on secureblue because it has a somewhat significant usability impact (many flatpaks will break due to missing permissions). Until the flatpak and xdg portal permissions model is improved, this is the most secure option we can offer. That said, users are still encouraged to report unnecessary permissions to upstream projects when found, while incremenetal development progresses on flatpak and portals. diff --git a/content/articles/USERNS.md b/content/articles/USERNS.md index ce8d0d82..8fd3801b 100644 --- a/content/articles/USERNS.md +++ b/content/articles/USERNS.md @@ -1,5 +1,5 @@ --- -title: "userns | secureblue" +title: "User Namespaces | secureblue" description: "Brief explanation of unprivileged user namespaces and how the feature is handled in secureblue" permalink: /articles/userns --- From 1d832430ac2bcdd10a3ee9158f9510bdb13bde90 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:04:17 -0800 Subject: [PATCH 02/35] changes --- _includes/header.html | 1 - content/POSTINSTALL-README.md | 197 ---------------------------------- 2 files changed, 198 deletions(-) delete mode 100644 content/POSTINSTALL-README.md diff --git a/_includes/header.html b/_includes/header.html index b6786dd3..ccd836b6 100644 --- a/_includes/header.html +++ b/_includes/header.html @@ -4,7 +4,6 @@
  • secureblue
  • Features
  • Install
    • -
  • Post-install
  • FAQ
  • Images
  • Articles
    • diff --git a/content/POSTINSTALL-README.md b/content/POSTINSTALL-README.md deleted file mode 100644 index 9c6fcf41..00000000 --- a/content/POSTINSTALL-README.md +++ /dev/null @@ -1,197 +0,0 @@ ---- -title: "Post-install instructions | secureblue" -description: "Instructions meant to be followed succeeding a secureblue rebase" -permalink: /post-install ---- - -# secureblue post-install - -After rebasing to secureblue, follow the following steps in order: - -- [Subscribe to secureblue release notifications](#release-notifications) -- [Set NVIDIA-specific kargs if applicable](#nvidia) -- [Enroll secureboot key](#secureboot) -- [Set hardened kargs](#kargs) -- - [32-bit support](#kargs-32-bit) -- - [Force disable simultaneous multithreading](#kargs-smt) -- - [Unstable hardening kargs](#kargs-unstable) -- [Setup USBGuard](#usbguard) -- [GRUB](#grub) -- - [Set a password](#grub-password) -- [Create a separate wheel account for admin purposes](#wheel) -- [Setup system DNS](#dns) -- [Bash environment lockdown](#bash) -- [LUKS TPM2 Unlock](#luks-tpm2) -- [Validation](#validation) -- [Optional: `hardened-chromium` Flags](#hardened-chromium-flags) -- [Read the FAQ](#faq) - -## Subscribe to secureblue release notifications -{: #release-notifications} - -[FAQ](/faq#releases) - -## Set NVIDIA-specific kargs if applicable -{: #nvidia} - -If you are using an `nvidia` image, run this after installation: - -``` -ujust set-kargs-nvidia -``` - -You may also need this (solves flickering and luks issues on some NVIDIA hardware): - -``` -rpm-ostree kargs \ - --append-if-missing=initcall_blacklist=simpledrm_platform_driver_init -``` - -## Enroll secureboot key -{: #secureboot} - -``` -ujust enroll-secure-boot-key -``` - -## Set hardened kargs -{: #kargs} - -[!NOTE] -Learn about the hardening applied by the kargs set by the command below [here](/articles/kargs). - -``` -ujust set-kargs-hardening -``` - -This command applies a fixed set of hardened boot parameters, and asks you whether or not the following kargs should *also* be set along with those (all of which are documented in the link above): - -### 32-bit support -{: #kargs-32-bit} - -If you answer `N`, or press enter without any input, support for 32-bit programs will be disabled on the next boot. If you run exclusively modern software, chances are likely you don't need this, so it's safe to disable for additional attack surface reduction. - -However, there are certain exceptions. A couple common usecases are if you need Steam, or run an occasional application in Wine you'll likely want to keep support for 32-bit programs. If this is the case, answer `Y`. - -### Force disable simultaneous multithreading -{: #kargs-smt} - -If you answer `Y` when prompted, simultaneous multithreading (SMT, often called Hyperthreading) will be forcefully disabled, regardless of known vulnerabilities in the running hardware. This can cause a reduction in the performance of certain tasks in favor of security. - -### Unstable hardening kargs -{: #kargs-unstable} - -If you answer `Y` when prompted, unstable hardening kargs will be additionally applied, which can cause issues on some hardware, but are stable on other hardware. - -## Setup USBGuard -{: #usbguard} - -*This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard.* - -``` -ujust setup-usbguard -``` - -## GRUB -{: #grub} - -### Set a password -{: #grub-password} - -Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters. - -To set a GRUB password, use the following command. By default, the password will be required when modifying boot entries, but not when booting existing entries. - -1. `run0` -2. `grub2-setpassword` - -GRUB will prompt for a username and password. The default username is root. - -If you wish to password-protect booting existing entries, you can add the `grub_users root` entry in the specific configuration file located in the `/boot/loader/entries` directory. - -## Create a separate wheel account for admin purposes -{: #wheel} - -Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like: - -- https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#LD_PRELOAD -- https://www.kicksecure.com/wiki/Root#Prevent_Malware_from_Sniffing_the_Root_Password - -{% include alert.html type='caution' content='If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.' %} - -1. `run0` -2. `adduser admin` -3. `usermod -aG wheel admin` -4. `passwd admin` -5. `exit` -6. `reboot` - -{% include alert.html type='note' content='We log in as admin to do the final step of removing the user account\'s wheel privileges in order to make the operation of removing those privileges depend on having access to your admin account, and the admin account functioning correctly first.' %} - -5. Log in as `admin` -6. `run0` -7. `gpasswd -d {your username here} wheel` -8. `reboot` - -When using a non-wheel user, you can add the user to other groups if you want. For example: - -- use libvirt: `libvirt` -- use `adb` and `fastboot`: `plugdev` -- use systemwide flatpaks: `flatpak` -- use usbguard: `usbguard` - -{% include alert.html type='note' content='You don\'t need to login using your wheel user to use it for privileged operations. When logged in as your non-wheel user, polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling run0.' %} - -## Setup system DNS -{: #dns} - -Interactively setup system DNS resolution for systemd-resolved (optionally also set the resolver for hardened-chromium via management policy): - -``` -ujust dns-selector -``` - -NOTE: If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case. - -## Bash environment lockdown -{: #bash} - -To mitigate [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger), run: - -``` -ujust toggle-bash-environment-lockdown -``` - -## LUKS TPM2 Unlock -{: #luks-tpm2} - -{% include alert.html type='warning' content='Do not use this if you have an AMD CPU.' %} - -To enable TPM2 LUKS unlocking, run: - -``` -ujust setup-luks-tpm-unlock -``` - -Type `Y` when asked if you want to set a PIN. - -## Validation -{: #validation} - -To validate your secureblue setup, run: - -``` -ujust audit-secureblue -``` - -## Optional: `hardened-chromium` Flags -{: #hardened-chromium-flags} - -The included [hardened-chromium](https://github.com/secureblue/hardened-chromium) browser has some additional settings in `chrome://flags` you *may* want to set for additional hardening and convenience (can cause functionality issues in some cases). - -You can read about these settings [here](https://github.com/secureblue/hardened-chromium?tab=readme-ov-file#post-install). - -## Read the FAQ -{: #faq} - -Lots of important stuff is covered in the [FAQ](/faq). AppImage toggles, GNOME extension toggles, Xwayland toggles, etc. From 91f2916d9607c990ab167ebd456e0405cfad14cc Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:05:58 -0800 Subject: [PATCH 03/35] fix url --- content/articles/FLATPAK.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/articles/FLATPAK.md b/content/articles/FLATPAK.md index 3cd765e2..ad3209a9 100644 --- a/content/articles/FLATPAK.md +++ b/content/articles/FLATPAK.md @@ -1,7 +1,7 @@ --- title: "Flatpak | secureblue" description: "Flatpak: the good, the bad, the ugly" -permalink: /articles/kargs +permalink: /articles/flatpak --- # Flatpak From 32d05691f802ef2c0cd8a607a2a71c234b3cac44 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:23:26 -0800 Subject: [PATCH 04/35] fixes --- assets/bitcoin.png | Bin 0 -> 38284 bytes assets/ethereum.png | Bin 0 -> 38170 bytes assets/litecoin.png | Bin 0 -> 38189 bytes assets/monero.png | Bin 0 -> 37794 bytes content/DONATE.md | 8 ++++---- content/REPORTING.md | 2 +- 6 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 assets/bitcoin.png create mode 100644 assets/ethereum.png create mode 100644 assets/litecoin.png create mode 100644 assets/monero.png diff --git a/assets/bitcoin.png b/assets/bitcoin.png new file mode 100644 index 0000000000000000000000000000000000000000..4c1ab8d4398e873e37c8afe137e7b9f7b0134a31 GIT binary patch literal 38284 zcmeFZcUV*D+C6MJV;KvhqFBK)h=}xFLUaHT0TBUF6e3-uN+$xD84C(3qlhRdXcVLf zs5GTT2N6*bDWOP-sI){n5eOvt*2bCh&iTIIb$!=+&iwv6@j^nfv$OZJpXa{Uz1F(- zxxIS~7k$6_`x!H4EHc`qzi-Bj*=O-{Zr&`s^6p}S&Wsr|XE`4*axpU6I%6JQ!^{j=d)(co`GL8&fsS$o)g;;KdWbcH~srOp0D}i`4v3h^2avBH!04X zHDeKe-@uO&o{QplI)2G#OtbxxfD5+>E zsA(xEtyfglQr6H?RGBer#=Ohlj)>UH`n$7cNaA-Z@dqBxF3O4uswz&hYHFG;vMTDT z_OkY>n(DIZN=nZ54l0@|PL8TGW>B`*VrXW{xasNbwQzT{pD`o&M%Zs;4PPm5q-lzMJ~t*PJ`^3cuHy_iMrj!yo20 z^6u`al`O3|F;>(q-rpZ~Tj31-z?|ynGMhYywan-XHD)_i=GZrzZx4UT9Z96JRtSbV z%Y*CAd1O*vxujMEBugjyS$Ijc?wZ)xVYl}A$Ba{YIr);ME81X5jY~2{McQIx60z;Ep z#^|}%B2A$^W0Pao^T*~DxGNlwb4w1mcKy`7Zj;y4)dy~?{ucS_r;P7d>I$|I&DL#x z!;LR*yg$Fg)9S6tVP@B^W+u&Zg~9792OYR#5_Hpv14-eSRf~e%ED!h}Fg4L~^!Ajq zck*^{mJ9aunI3)}aJdIx7$H!sr0fg;An^=?k2jn=BB3Z_1K&PUyLQGJ~) zsCz6OsqT)NP8-R(-|GZxVF#Yh{`TvGJw3eqw1P<+r}wLc=funM8`n>7;_pt{cmNYb z&)e5|y^5TQoPw-Duv?(gM&0k%>-ajkXzkPA`NuBs7ir^Be}5k>dHJBAAh{rAId5NA zc|}c4O?d?+c_k%TY$59x;^l82EbHaBiP*)reds&;Ir_T!_`7*~tta+r@8BKaPujQ< z@2~&!_&j|~P5-%jFTX!V0plSbZ0{qlD5oIr=_&u$Px$#81Y#$D9MJ#q6MmKx$)0-e45H~n=NPLBWlyib6y$MoqqIm$bGID2AKKYXj=zkDUJl>Ye%VhCK_ zJbk7=g~9%pE&bhG{%5fM<=BXKrcdXu2ZE3PbHD$x^`GZHy)m{jHPzDhb_^g6&q$xN zk@$WsCvQhLC#~tHs%p*}>S{`=vJOg08nP-b$}X}RicT7`8cwQ?&Z-K^ni@`yf7z9h zm!H4Am!mVWE9_j(4g0ZI(Qr~xcXE=|P<2q3Rk2sMm(_4qb(VEjRZ-MX*3eM4S5o-P zF3f!0Fe~jn{(4lzuAHzdCnYr{;wxoU9PJ%tRa6yKWi_2tm1UhY6_pg6ofVuE6~67t z$x&;kx38x?E~lHPy{oglkC*H8cMt=vwPUXlX`_ zJD7eQ=c1+O>um4u?Q7}n?Lpf3&v5$Bw@tB}ob3JW_3izgvD1GBSj#^HtgM2%)*oj| z?9SBN$;~C?|8Hwz@vPUu_PFG`-2CwUA=58?TTvFy$G`pc?N1N4>7}%O{q&;HvUmJ; z3V!y1&Q8%7Ai$gl_DCvLQI_Rh~aTPFNvI=Ul z3QB(tnC2e?CjZ9?%M&r<&okDM|No4M&h!R<2{QQHx7QH75DVr184UjzGa~H#Uwr&= zE&eZl19tu2FZo}M?|+Buzr*#v8iD`S#{ZpN{~fOX)d>8rHvaGI`rC%<`~NAYoV|d8 zf>10u=4GX!)SB!9C^84H#XKQm{<-&lzk=lUC&8qDpPGi$}>rP@0;y+V0B!$^OJ zW$^niEpEZF%;quS&5-t0MnApW{?kuC&H8csETg@@Z)u88U$R4nJ#)qDyGNE>IrM#3 zD*e|jTQ&CXNZr3T>gS&?P1Qp<=HrM!}>PDR_r}4*AQ_I8q*e|ydPv@;PLDB#8 z2pEVN3fHjd&(8>&;E2L^`2VCdvB~s%b1d-m+j|RB@buez(;uEO{oeG4XH38M?Zf}( zj-O_iAGB!Opm*lMWA!haHMPCl3au!7Gu?^LZ9y!nYC}WA?88s?QOMb)Jhn9@EICm^ z<>+27udL(!jh~{);p}>8Zm7Mz{h>pL_U*guPk6kv3fig0B+CB%E_pT<`}T>B96x^ib)0-- zqtIBsWVA}1mD*i>Q`_3Y;!eBpy0R;q&8{CYFfg#rwlm$cXa5`W@XJk~Dx%fjhObm~ z&^I<-pjUo@-fQ2edd-Vfdh)W;B&;P%%g9(r znB>`c;HX5%Q@659%N;aNe7#@FBMZhIJv}pf%+fP5q9w?3uVgk?x#Y}L?=B6S6pe9n zb6dx@KOYrU^xfiRVH1YpA)i+?iHye%S?J=@{#{q~R>_SE?@ryj*PZX#qV<+ukej=3 zt;Svo|H2ye(!t*sutO*mR>_GmHmAFm+c==k+Z zGkYRFKK}CM%i<)ehSt^+D``2ohQg4BEZfPU3W@;>?#@n4ZS4fD^O)3!pZK1BHY)64 zF=!P}#!h_wQo}d<(o$eX(h2->pp7H{?drCO&;p`~~M^>FCn>k+L(3mi3wSx?Jtz^ZB&XT*WJkRd1|3rEEN-DUKx+jDePU z(JQ5+(|Rl~z1z{zv5(5XdE*B5USB3(I!@=?dF_b*%E67_V}?z`P4}fT@BZ_Yq`8=($^-(Xi`cdW3s;p3s1_1zGTzRZFa>6>Ui>pANybe z@%jfMm&@e#OVqe1TsL8bj+h=jnp(=Ms;XjlT)nzNL?rs%yS)+;66K-VS9|V6>+UO# z|R+ur)~&ogQ|1{)ayZe~HdQhoO&219spowjJ%y*)RTuA8tUnD_$y zNx#vanvt$5i|XolRSqYcvA!hNd5TZ^Su#=7~%Z>(n&9F#?cCH65XSE_HnVd^eHx#P1&B3ANqf z;Wd-Z<$P9ct#5CwBscWn!RDvG%w{G?gYygsShRR?U{H{CC8dOFm3s}bAK~Ywc2MB) zYHC+wV^5zxjUXZO)xyqBTwJ`rCw27d=i$!RwcU+1H4jr$cPZ+4w-;koA1E1* zkO+T#jJcItHkeh^Z}Z6M9F?!=_~QI3<((vkQ|0BRrUTqiBcpRi6_tU|Ai1W(FGRhRWGfF*q z@}xoBhrYhd$p^mzt}7o@Z=Dqy8hYT=nk{m2d;B%d+F8&34*`nv ze8j77$Yx67?Y3u`QmU%l+GJz)M94^2iBK>}r~Tg8Sn%M%UJIcJY4n|*20Npe}joa5^EqOgDiN*>WGvXkl7#JF6{7B}H)~!-@*~JlCv4Y3rrT@qZ{&d0G zF2tZ@_{D`ah}yuGq9dxRsJZPYu6h0MPV=v%wvPU+&Jra4ywEOK%gAjRnd2`)On?7|!NL&@j@OWci zzvkOyzBp)xhdDVsJRD=z)@Ex-L?u?$u?k-9$%e_6hKBvN#3NH66(>(w!C!{36Cbah zP$kcp@;!3o)<@fU3m0B#ZzT&Ss&8rq?7KhE-7S?aAtp9fZ((-&)T!~w$&Alop`rTR zgoK2={-j@K&(+2Cu#uRVnLw73avdM+VDlqRojNNvh5z?DB>0L3~wd{Oms@1(@# zG*<8B;N_!@5%xQGo=FuZl1@ajS%EE{I(PrWNk>5H=^XiPgGP&E-JU&rFd|)De5p0+ zUZI~a8P<>JMJ#3(CVDgYU;U~{_Y%E5h=)o-Rpdm41nsc9P}$|pfoYtSpTFOdHZ?x9 zY_rMW@bJDjjESxUnf>?oW|OI-J#!^O_mYI=ViYH5=d|w0u>l%^il_S9iefHbt{*8c zFE5n19@HMv{mWeOy$c)b>k+yr6iTd*pWg^3YW>Lm3{?P|l95M`lz_K!-CbRi%Zihe z4RVzbr+_+ib#*UZ-0iK1+^f&Ugz4+)IjWYhZtYsjVLp$$jP!+`;H-4rJNQW$ho!dJQBhG1 zf`IJkq$Em6$dd;7J-GO6*YrWL0wW3o(c%a&bNtcALvwmv=&wq%coeY*P0$5(F<;8<^DXsE_UcsoLTDgXB) zjbc$0HJ=aLi~7luk_K1IOih<}E?c@(tDgGnbQSfNO6lLNqAWGn+&%|LqOPv)_2R-K zZAC};pf9%=KcvhrY#%LRwvFHH|cbjNQ|hXObao=p#SkjSCqgMj1d-36X4SL5T; z69?+7IaBR_PEQn>H}AJ_g`<6}%1WbpT5#~=qY5|G zJl~_>$P$=oXlX_Af&v3qaOE=xK7QPoKJekgt-R7^52WXYvEn9={H`t+ZdaaeF{0Z* z$yg$9snO(o5fKV8u3@gO&91v096loMV+@!acYg72U&$U#4~VrIM$^*NbnBx~SMnw% z&JCj?{qDQ(c%|j5JjIV_Jdqxk7Otpg&}inmN=mhR`BG9+QNu*Xca$E+R+)Dkig z6iD*lQ>rONfu<#rZQPdk?{oXB^YhirOY`!WN2}vX8sqvUK8><2x@6fFrL^yJch9h8 z9qui2$Z5{~%4%rXT-+_PnJL+ahT&o!#zu3S0VHiZ%_FwBn<-0@uv_sr?jZhfv3!=3c-6tkqP zyrdl`=LDpdh4!~Txe;8j()eL)((o^9wr$oH&v3nS;tfD01?%>E@W|=;)O4i6;^` zPK0G{aYRH!Oiaw~(!xR;Dh=_sUhE!#7Y6TK$K2fws?=3g-E4&~UhJ&lsi>*t=jT(Y)O3mch_Gd4dKLmUGecHZ zmd&@evO1W#pF5d6Irwmlhm^-o*s;m@Av0x1M0`KU68)%{xH#8=xGw_(+2JKv@v#lj z7cS%lto-!i!ZO*n2oejKG#i`vRN=3`&NAm;ySCD9!_=dxsZdk(f?Kz?yLW>Nuu<>E zc3*g94$pr5j?Tk51ct5LxpU_+TVdv*f=FKFn>V6Na`51-)bP;IVvi#^2lTnXLk8S6 zt5Pt>_{m6z58|b_-7EOo>{I%9>;hmp<{uwFxYQO`r(AN%O zgJfTq`RkVhGk7#9aEnKc?ZGLe>b|poQdl_rpy|@tv-4JTi0xuIe7O324Z)iIN6gsv zSIrukz(7TXh3P*Yva#7JBa_UXJ!{tC!-p*|o0^&eLF~_Nt*zbYx%tN*^+};9_2T1K ze`-ww0VO6X>d&q>Qlwa0OBLFsA)9A%vWrSpD7Ln;$I^<6Tb-2BSn_VT=m$A`K+Rae zxo=REVdw4bZQfo{Q2{(h@>WY|BfuzDJDm zpI&_a?9{Mmb4(?R#oEjFA85C|5`FRFicVAmFH9?{b4!gIDt;h$YHMk^I60+u;}Yw0 zG3@%>WY=Hf;^G>(MkXeoXX-^r@*R+zSFc|Es<2ITr}q83CvSNn7Om*qgm@Lw=52Ju zby;Fg4k^D%I6)LS|4~%>%~$QGWoikY!2g?Lq*2#PV(zS4w=Od~>GI{J=A~(AMpwu| z{WrGIMtjWL3Z6cDcH6x%E3%`ou#n9@R-V9>c^o?NXbVj+MF52KF$y@)0EQ8;*e>Do ziV7(JEyd8@+GK24Egi6^8E>OY)&j*xG=XjH)O=coQyJ^&I5kgIr-~H997PtY4EOLe07^* zJ&}ow225(G3~+j(*Alb`{+ z$v*Oi4Y&3B3P4-#A{*;V6oBAa#lN7nUhhzWS7+&z6lVXnS$9{O z2p9F5x#2Vd!%Bc}Kp}l?q3znWE8=}pX=y1v)Wqa`k6<^gq9b`;xGJ3`NjqJz@RwhH z2@DHnulV7IryKtUHQ-$pxc=wQ^|?OA#>VF6m$opDf7%&SS)X}GeH}k{Q+7ZYCi-q; z<2!fmtXmgbx(nAf_UhI2#_Y_@<*KNEj%PN?WK!(xu}Y-xIY{0`5h zF05pKhSe3|UT;6Y9I9~n^5t}1QDEOzSy`)WA|ke7&^F+FB0GSKk-s9@5vNa2OiZlm zu#dw=nd#~KssS<1^3pOgWaQ+o1}+y9>;CwWe))b{+LPcRI<=FCZc;g^t70nsJAVJJ zro-n;lcJlkmzNit`}*~3fMf>;2hkB{XJ;@Uh|3wg@MSlxQNhsp`}ghp_~FC5WMeTd z*Zb(vA2MCHZ{H3I(qSB65?2IA7CE8p`WBfrk~e?x;>F*8uk=!X3tyo&;PJu8%>0DR z;^M;`8&tDRT9=>rbw@TxDJku1CfnnBSp8!d(=TWAGT?lJAKrexMW9IQTUu83CF0qORG_4ZG4-O9AH5oF|8F#^tMk0|6syIE* z_IY&Pn>w@?pnD4|$F+KKo-WXmOH9)xqQC`rwX|f(5+)h-6P2pPnevt{9iKXg<-aFU zCoR#MwnQ*;C51~hAfKQ5UNBxk&L1e+F?U0l;}}7=4?SPTd}J-3Pkd{r6c0j)t7n)Kr23AXrw28q-r4_-m)W{+6x<3l>zl_#v3qH!^_bN+v*Q04`>*SQ*yY zktDPsY$>7`fFjK7B>{y0I#z3q5x&^+I5QtOKbOe zaE+>;P$&T}auv$4)@9OLChCi(J zE(bq-W{oT28J#Pk?scOf+}GDP*XwO->tS=U8JVAZTRbbzy>az1p_7YCBySqzm5zo* zlshb8iY#0x%Ean=-0SWooga8MX;|;4pMupd3abtZ3mE(=4gQZr*@YqQ0NdhvL%?LU z%_>;gTeiS|`#J}O0AJsad+xM_hJ_)OU#N=)?%0Ab?UX8D(&osm-T~Na%+0 zCu*<2gDRF;-BA_+7>u)9K7zQ1c|ezpjE)wWKVR{8`z=;BHa3=)ce9g#$*uP9U+p@w zrtd-QSB86|Trat!w-IAaWfj^>HahUeLhfpnR3eQ02$iL`>xUw@L7CK<&02Oq# z+%XrTp5vh$;Ou3cS@8Y$x&3B_hC?Ddu>1VFh?--0ky$Dznk^Y92Q105vZj`_$*+BM z-kqHnl`u1q(Ncc0zhTODKy1_E%9v0zYy@0(ADUO&)oxs9Jz)?b5uaOw-p7gxtAp1Peu(B zr0PtH(@H}pryrvRz3nX5+@9Z?;W&401W0Z#@vM=-!6W47r>rS|dI3JT)~cs~6d}UV z?1&cOOMq>nF8$~u_zs2A8Fs}Fj87x9a6**d@gHgPP0L+P0~i9HJJ-k2@e{&Ip549F za07#Kkg4?}0RaJY7h>k|VouH#$Yq2 zBW2&e|D`cI$w2^Wo^Jd&+>gnjJob6EchV2c6T$H^qtBk*WnyBv5Ii-=wkUSR^XJdY z%hMX=rKM|v7r7tdNLfKUkd z>?QbkC^A!Rkv=JyN_~Ic30fRoK+@6C=Z*{y=XyN{gJezyWM%R_PMtp8TSP(eXp=wz zMS1(H>wyE;Mwb#Kn;omV+RR4yq&v|fJL$?5r$$y60(ZT9KJc$)tB0CNje8wQA^b8AqPYG8bZxblzV>6<=9d*?=zr&}zv7s3>o${aoW@nbmg4I>bp?}Z(-P%ooTc?VM;VTK!tZX8dq2 zGP2f&arf@$F@~_DO?JV_Ud9G$tf$iTwd)SPpnUxDQgVAncJHfKuL#`VEwgniaPBfu zQ3Bb;PL)TA8Sue7-={F_NVMV4M&^8EV+5MCZs5SY_Uy6AAXg7|NOY2tmYCW1~!<@X7b?@lNHIo#AB_Oa#OM$ob0L9t<=H5{rZsGhzdg)3Wu^2GBAMcv8C2_?@3pOQoQ z9#5#;^d5WldLE~p4ECEoqCaZ%UKghYK|%ec!)}q51!8h%he2nX7#W#YH#RmJ%iqS~ zMaG=3bmFlyvQZb-M;V*#u_bDVlC;#+cZHjWhKA_ji^X-eq$gd!E}brXC6j%Y4He_4 zt#JOb%`4d-64kvEQ-u&sGx^&P!s@G`b&f|)Em*sD?FxCj`=yCs;cIzB3=CL^b8V#N z)YjJKeq~ITCV={gr0vBaJ5L0|Md0=6e)V8SS)Sbhh#>?1Cdvxrx(k1PF|sg8C>@=RN(+aXjga_mjpPyT1 zK-*{|ls%Mhxqtt$l2dqq3zR;CSW;Y40zkEVgwvSK@a>GGDvxwmL*%-C{d(lY`}a0A z<(U6Zy5bz}z>HW%;E2-V; z9!=}hX`f$SLS>lFY9*cc3cV&Qq?f<^rbnZQo;e@s$+pnnXw=NVzcr-i-EFqS3J}=r z@_=mNxn)v!52+|BJ~T_xjqIQaMv~w*u#ks&VhoiscS?*By5xr+ZY4@6Ih}>RMhyo# zgfgN|Q_2%P{c+Zi?uk^x;HWpZtOI@t21D^|GFZB|!r+{>95EE8$* z-#1lS?*$IWjKsZCDlnLvJQK=e8pVUahmV^*R>-C>k1?qaF>&qe?4W_itCfB2YtgQc zC?{AOP7V<*`2?`z=jN)Ihgn-UYWF|ZDovxy&y`tn=!Cve_&An7sj38p_U9KM7G9u{**UtZ%V8o@4fZg?a{ zqK>9!XGcdxIZAsOfk&iI!J&~gDJG>if$TvE>5RSTR|5TL=h2hXa?Y85SHzj7gTH-v zmuAonVdHVTy1U`CO6?{@IfxnU)nMICHpfs2 z2F=*}IHvTR#cNaDguA@GAPz&|JQ_ANH3dIS@-<}M07S&n?#_o5;+WEGB>CNsi4<47 z?q-x4gL#aPXjVUhwFDjiD8d@#u_fZ|;63sjg;9?mKi0uXM0Q}_-T>Mx8Gqq?jS)aM6| z3&dVVHY-ESRM96sH;vc{h8gne%~EAScH4k8iMCcZ^Z*ezw@{lfV;7@reuXJcg?S`$0+V!?e+k?d zR&c|>#HJk-Z?c&is=fG7uWZ!$^Tk+%3w@h*8XCH~x^gm-Ad_6bo;L7cwI<9jmo_m+ zAo$rqS?x($spfHw7g7X#^6uTc@$vBlo$EFzUk=?wm6>UTf;?4#jFZ=X2L)9W@49wS zR%+?Jd#+AScVSAU8${{zs}t1C+zET2dVN9Vty{NXxYREZ63jE(n^kI?tBZ(8=TSn3 zPB%<;e*XL;8~(dcE}O~b5}HmF+<1dcH5rdYhO0r{|-cTVKLSTqV*8Ar78UJ@`oO646S381IEq&+va2qvyO zdY!h58q}q?Z{JS4=YWNp23$BuFgteq!v9J>@^r?Y^OWCWV*2t+O>ZDT`2dUsIYdyus9@@AZH6l*_pg0}O_voYXHd)&qdqqQb#o>1J(}r7G*rh@Num1`i)lguEIrRo&XwsR zPkfF+b)Tl5b7IWPd<4;DS!Ymxt0u&Wu&9HW{C#9??L(w#nwt;#9Evj*nsistmnM6q z>!Y0@BMtaaj$g1?WJFp;;pZ4Lutn`tw?Wb6xvdX-U{Idy>a4GS%Jd$PQzUO_a1ce+ z78#kGfQ8^`mSt8WG{~kWVP2&ZMNMX7!f(H=XG?9{=7FWFHZ>O_ES;Nc) z3J274^&mt+ZAZfA75JO;;f7l=A=U~(p*AjbBYU7W{N~iH9Vc_MT#@^>5Kz~=6id*< z=9A;!WO+Xlw{}~3!`Z=iYwU2^)+89Y5Yg@@GEhg{yLXRTnv(LuLoJF&6HIh7%di06 zKd?VZErp7&qjQ)<`}*ZzRQcuW*L&e!xFdw`{Vq&sEM77HYYP%DdjjweD<26SWOMM~ z5iUwO4!me8w)ZQYwD1CIa4ahjdTm7o)Kb6zpjsXe_-@z!{Z~r~U6TgGbV}KCCnf$+ zGz~KpLII}KvuDqs3vBIZXlOuD82}R_{85q+OD5mDXQ!!u>gC^48Q_040k&%(SuYDQ8pY7nYZGGZ5d(Of^c-txm@Ek_^Mit>9D$Y*#v3(%0|&0L%HiI< zhxZ+O1Z=B*NKfx%>HrShJS?hwV>+^PHkXR1nA_g?Co8a=DM1b|Zr~my$n+#Q1K}>f zOps|qFRh1yccCDcs1oDfWTwUEuDBzJ0yz{B#NLF_E)oa(rhhNM4_46sS4-uY) znNPQT^FJO1x}Q$B+?7#hlEMa`&CMWu^)E+zmTkg+kFqLFMG$fQ57s%J)Q$rPS4!wN2D|QMlYJw{a zywMHfFEXMGUZky=h=H7rj@y@~2I`d`OZ=b{@H!q~DgXNNqMT6mqWOkP&OwfYo$!O$ zy0=(TaLDYt&w$6+JPa)wsD<}iSxGn0I!=o%47i4(muTZ)@ok{E-_8nZe&kFSR76W; z=Ow|?xv$=A`}Uu2H&{?LroEOp!lt%gyr)G=#_jR`nKQmbjh>X%(xM`8pid@p0`i|Z zAFBmR0M}clYm&=xP32Ct4TKjU-F=NM=>Y`2&4U50D`iTk_@7HK)6n{X@#3ov?)t$! zi?WL#vYMlDD2?3#z6zHoy&J4?C^8#n0^A(y_-lbc0Sk!W+&t}g*@pHZQZYn*f*c^x z5EDQ~En2OzOHqg}C8)}gyfH2}Y^Yppc^SAT6*L6!ca79eYJ)O{nU6aauj&q#p?(Ci zHW*+wADXbFlvG9|>yfiD>?BlyU~-`P)vJBgW(jJhxvMstCEfsJ9#GKq`S3H5LHg;_h5l}^WYVQ@+m%Pi1`v9;PM|89 z;!uS9vY}_xBiCYknf6&xnc&++@aH97Uc2ZY=DnEqcJZ0 zvCia|94?p3<`PG_a%EG2H-*bj8UN8PXz;_1nvQ()RRW-NG)l%hfXADL zt&FK*W4*A+b7#+@S?UzOJsSqaHOEMenTMpEx4axyHdmFmhBi6sw3v%AD^E)qjdwq>=!DZFo5WdGAjP2HoK>Cn$T93blg@i z?kBon#J$|yCNP^o#})ba(l5hPJcY8>!O>AqFIEfkm!%XfJde7c9H3heL7D#u&>VP#Q z$K|0{1!1Km9MLl%Aa6Q55Ep%-si{fRuPb#7JlXD=E?WPSZYcZ)w9E1FT7(Px0j#@w z_FOC#U|`S~k(@2~dFE{NWT~v%yg4Qfm>fGLF+5w;Alq=K;B`Kd(`?DW^g=#32ISavg_b_U7@s`0#yi zXI+pODJh$${nBvU@j4upu5UKEb}L(W|NecX4Yu};#%zi_PvQId^M|-xt88JjYZ6rb z-a|=)gFX@xNg!>xWm3w@7A$)W&-b}NN9o-R6wWhe&*|Y1p6kKU(c&i-ZhuT~x2G?K z3zQ%UL_L8VMU=lD343fr8YnQcEy&F>`{}1&Qs&KNrj_d#)+&zrtj(qZ{bPw99 zRxDr6M38`N89Rl9Hm%-3F;G%c0v~QUydo+Y(j!Lvp#TGQmoO6wQPjztL3fquW(y$w zlwvQW=5;W2QNxk2Knlcui?NlJif=a%-Bgjo2%n}zhY#U_pz}Z&4FkCne16NMrXY?n zC8?&izs{cf`vUpYZnOmLxuJ3C^5u{4NM089-b>P#Sg{Wfj3_!&63M8=fQIWu^e`Xb zyjbHZMQ|LsiD;N=1+Fj<>SK(%-(0`b>l6O*oYdB>ThHet0;$9F1fe{VK>63Ix?n2X z+9ibdA+W#oU`Z0XNu+fTlE;?86tisEookeb4yRK~bmP8%!B5Z`mZl8=AXFVYRYE8>0ZSb9U54pNC;m`0+;@t<;a!NJ;0x)Cb- z326PQ&&?(ZrADCzV^NKA8qE~5#~qeO_CNl#I8)x>=f$t9tG&^x+1uN@?YsA5<=d}J z1MIR^4RUD5=8u0L2k=J;me8V)h=3AelsPsy_?RH(!%@(p_u<|sWdbR1_1d-fFYDm+ zV1ERJL?791f*yhL4u)*HWef6KMN;VSIatd3`uNb+Y!%_E=_14@F{tY%sI*aLEGHUz ziROff(b3WA=%$QRPb6eQEzZK6MGQdds`-fjU(>stQKo?^$CtoWPo)A^SSXT@zPm+u zxx+E$a3bEF?q38ij>`@|bxqP6CA0a(CwdnXO&7&cedNYB)AF7QG;Q z2U?j-Rdl_}$-QNV|38yE^}BRDsM z+OaO8sJaRY@9-Lb5O~WDGH7W`2$(=Douyo&+b^{nkl2>1jqVPtCIIKVrMk$9C4@$H znP?n?8EBn|xArj6T5zTOHBSU5IQn2>=#b8pSbvSdHnX9iR z>I?2Ylj{ztWvKuwe4hb=U0jBi0o5E|=NAviqQwkXo-xu+_J-#Ku_%(8&NUbC)u(LSV@?6xM-lLX@S%;E8{K0`4U< zCs(=o%wvCg0bJoCz`oMcw}zGNocoOCNc7|X=RNlT1McZ3D%J(1MxY@cU}Oz96fI@I zOz2pEhbQeaT;yV03v=@gg-!6Aoh6JtAs{9Qohu1UuhBqURMcyt&%XWqQBw3;&5eBo z>%&a9itHd-;nOK$nMlc-%kA510htNT&HV+6Iw;AtO6(+_(X=9QPy2 z1Vo-Xe+?+L5XjtZt6>_-X}+ILtLcKx&b>mic<99%ltO!rY%=$o3xOA~uD~VX0z`6K zYJ{kA`}_JlPesT;Dez~YTr-3w9Da>Zl5+*nY>VJGofbQyvVxF6i3~#JpE~uA8s2#c zGEtZE`WulW9_8e4NyR8QLtR`_O6}K^NF_wAS`=vYCi}p{ji^6a)NsJ}GvmMI5JK2l zDw1|?uhYW=xmosrN~uYN2E!)^UpCR(Z%I~D3nWSiu65Sov;YzzQcZJP?qopahpS-T zJ)bH>YOf)@PUqOfY^*1UnA@c{r%i@I$B!=w>s+=R7KuyZi8z+3>T2uz^863=vKVjd z88vSHMf=Ljl7alK?nKSSu_E*~tdZqh<nfIhlU=qT;8~h z05{du)%E!gefszjpJfjWRCm9WH5z++CA=vh*Z%3Azpo&ByYuKr@aW)ckW;4Xl&e>- zf+$W+-GV7X0N2)%69rTi@0w!<#5 zXpNc)iR@N;7v2Ew6cN0uli)`*E1yDVw-#bQmq$bl)Is$l_*C!Y1#nD|-rkMgmgz8S}D5DM)5$ zAA!=ljL+ms?FJ+!I5BRRT5w3nxnZboXWsvV2x-Mf6a3>m6~iw=)1($c-_BU1YL+iF2-wzh_Tez~NaunDIM2?rR_oQ{F? zfpHA(Ls6E}Sv4VozrVbjw)oDl>H)y`Ig3``4S($~@fI}E5Dx~P5hB#~Bn^&@i7iTj zTcM=57~n>qvuyct=hRK*^Ux>7I!oB((RYhR5M)||iO-)uFAkuA?|8G>u!xcBf5XLO zvjyVL7BodYMCn+bCMvvhTQ5TH@Z$%c4rh;+?c&+rOYmQL4Uh!Qx@Eeqe-qQ|BjbbK zkxjqrd57B0o%`wVT|_XV74J`oL2ZX5QdudzdGia*p zXJxdSnq6pF(^~CbDLKm%4`4?%MFK7 zw)x$=_3wX5OG_iV)2IZK&F;Y1n%BR<$m3!f(3H>+3P7^u3?y@?0ria*@nDHWNzsK+ z)c-Me?pz4Y6mQrz(TKde$tCBePRJt!6|BOo6L45y&Gbs%x5-OK;iaY44N3Q|x-rc5 z4Y=(|H3TaIZs^gYJru#P7`NDegt*HAx@Ii0(Xv+e{(ZWgu)k=4u(D9Y+z9gwc4Acx zwFLHjkY%QdK%j7X{>U5j4GM~mjNJDoNh{!0TN`fi`4hkF_m-9-z^up#LSRPQ;n+Zb zKiGnmOPA8G2|q^3*C(i7H<@lXJq%)a9$eD%=IwnWq2cr4jKs@w$>hyMo6#?~Q@nGU zw;c2dWM|vmsM5Exg%JzBR@1R0e4);V6zHZ3@el&QWG}QQ%%p4r(qd5(G`55t>G_Maw(36#rnD};I(`lGLAI^I!|LN~Tzfi!C zH7rHYl-GxeC8SJ#T`le$A}gT%q@-zbx$@jvqo3Y({IFr|(sO5KtTy)8A)9dZ*p3BD z*7W8#Z;X9ZxwEoYvzyJ|1s;8^pW%1oi;1X*Zgg^=5KXV z6d&6X!DM6Rq+N6C=T+n3b`uT{UD`NLk|qz1n1J*`;@&z0$6z(0O7(z`Msaa5sy0|< ztUk81w9I|*nZfV#Mu4_Br-LSvN+(Ex3l}fme@@7SAEwq={z?DlmZG5SEv31+mb@jH z<%FwiVQB-cyvjxCIs`;Crl#4wK~_g|N2)j(U=7VXsTH^h%g*{6-r*w&?d|PICXqvE z=V)os-nPv|QGjmuK`s|JQn5Nu$#EfQVk*Cu12MCqu~F(+4S*vG_o1_M`KndDpFZ9Bt0qjIR13S02N#~Xk z4Ea7jJ^&jIp@=G@n;PyPB#MdzKZSLmzP2DP*piwE&uB4b>-$d@bq;6&qK%hHz(#_W zk=~;hd7D_*prhn=F*vZ>Kj{|dX6>GYc?+6oTEKjp5!{&q4^?&b3}FmxIbc0%3{#VS zCd_HZ>r3oVR%d3Kk_6y4E`a|kpuu9Mf3j`H;sRhdnHL$=W3yXstXj3oW<)0O;q1}_ zJBvb4YH0yihh_ZcvUvXdV$eNS3Q6Lix+*tGpz zlk=LXQDvy>&DVGBn}2TGLJKYb&xAMO)?8NE%=z zK@>n^C?D_Y>Vj1ZBy;&VWU(loJQug;ARL|SA*5+s9D4LM_z8H1gdGpYEcz62?}^Kj z#-b+&U`Nf$lH+~`WH;KiYi~5!zvnk&iC6Th{UGh@>QE(Ou~~lfRBJ&+%N#-2b#I%( zwY3=`Zj3`Hi`39Pd)^-ME=d+AiXn48L5VRAY>w&8YqVQtn~kZ1;wH61*kefMl}QM0 ziDM1ljr-tEnS76leS77N*w}zf19sP&>m!KA$KI1+f~*f?5R3&Oq%1#)E&zzwcdILi z3^XTtrQ+|f{nptB#E7I6A|1$5O2H*45xj~aSZwYG0*gxS&tUH5BNB*~7Znvneatr1 zq+gBvc=Fd@NBd5>Q*`u)FiGgoa&O%_0-pvu2|l#Vt4)%q>@?!eCsQstPtwz0Y4BA< zGniWoX~|K2eSOQ@q=5<5>bn}ln%G&C)e^A0<%PHLLwasU5c)CK3g-T(Id!lLrX(l# zwisZtdb+#UH4@wnx`M!f4-BwcTOs12K*v48NHp9S$l|G6w zdKZx7NdT;LSCs4YaVWoJey>^R4xSR)yOE~$MuUZ$gv?m~DPqx@z^*r|YSzGvvM_7G z&q6~luYS00n4eHRfbB~c2fqM4%$1!%2IGQ0ONs#CH8~|Ey~22IU4{6GZMbhwXa1tU zty+|P(){J(wVt!jWKrC1g8oaw?MVpU*D4z5yZEaF`jWN|fl7FSb6}2$tWo;{x|j_X zlv}&v^qDj4*Az?3T>G*)HRSmV7v4t))j~lwZbT4gM>Qga07(V~6{IG@_7Z#L%9c4a zK8J$a^qi&o<}`@iS-U+^ds* zH2?w$ou<+>BcsYI(iZif5cwu~JbnHs4(03D{pWG>qu=vnZ_^B>8LX)9nScIpW zTQ7+{J*u=%NHUOPp|5 z5j~w16>wYy1f*3!PEm%OM4_R7Pt)n;4`CAqQcpIXFwKnEF~`YV8)Urx33E{oC8Bj( zpSw#!rI+`ISg z`PJCM@xRdY)^+ur;Eivymy~3c-C9;+tajZ5AxGuH|NDLz|0a3-)b#f%m!RkRhKI+9 zdos|Gowc|hfK!3x(kp)U#^ym; z3`@9GQew+9LxT^uQ`k^Y3jJ&kHy9lAy*eVruf)d9ELL`Q5};!Xtiz=O^b2XPU7Xqd zJ43)>WZ9M2C_cV(r_4#|;I-}R z1I8i@u!kBKOZ0|o;D#1Jg%^2P7>uC{-l-KLw~{u36>MDWS3d3y$0TFCT)uvU@%6ns zoYUxX&$8MFRG?dNDxd>aE?Ico* zd3ep~RX@91yvB3Dv5W zr>Cdqe(V?;1#|mpH5Q-Gggq4X%x7j;!>QfFxqQ68b>`a5P+RD42?@KwT`j?2B0!=` z{R4H;dYZR)w!>X4zlIe^4>!p)JC&w@prEKy_j4bU%VME?HpquZq9~;OAR%G4Y)%ba z@rMfqFb3GV3kaHT0$>|@$N>8_V*HU*?#B%I20|b~^R>;)sqDMnR_9-!;c1@pbU)40 zAO7OZ{dYTT6cgGy>Tgj#zKWIc`f2uowEn4mxXh9KW{?%B;|Sl8at&xwob!&>Hnb7= z&79?p?k+rdA0@&@Yi4fS&*|E>Wy=q3m+AbNOP4m-4B*~4lc)8$`uh4u+ioCKvCI82 z2A2>b8S)u9F>c+YJ7C(vAP8 zwQCQHIdA*+MV{RUkwmB*HYPeCy(xQY?+idAvs7z8b zY|@IPnwg}d(rHFz(rB9I@P58|p6lB8djEOf$NFQh<&tKa@9%rx_vdt{D2m%Jtut2u zgtIj-!_Rw`$BD_UGU4m1s~(naax*c1Y?Ep~)bZdey(9_(uz)Ab=pEZsraqTDnAq+7 z2V8Q!{Q+I;gq6|FjIp8IuM`eLdMdFV%viOuQ&tZ0Nzy)#_{#Kk5Be&ze)`(1)9751 zuJLB)djf^m-8~Zv6C+O)qAU|oL}-Eeq`sOLpBOOpf;$VUV963 zsAO<(4n*&qvw@^TIO6BG+f4$h*L)Zv1Pd`NtTpD@~;jfS1>(5W@j=4Mwr8m@_W8=UdfjSDCAD77Cc(j>~5PNEyD z?a}O*q2pJizG)XexGY)a*yie*VC9wz>UNg! zTaplDHAK1(mZYz_q#>nl-MPzRN3JZ!C%gLanGg0#YZAq#>3?^RxftDQ6^55}5-C6z zZx{cQCkKsA1xAF2>jr$-*v>OWOom@k93M@niy~s}(OOLET4e~D}IL*r7Q8AroPk;6w=twBRa=rEgA$I@P!;|u7!NZ!+Q}muXSFmp8y~rh z&luJwj@Gt1pM3dz%n>z;1#7p<6$)gux*tUqcXo~w91d?IJx!Ohn_FU^NI!#|pOb+p zGaP5-j?lO1T|z^EtBj;{#x|RojnpwEuA#WmiJuHI)x#;GwjLb$3elCZd1#cIk&UD@8w2kLF5MVNfxDMzk3jAVi0q zMz{!Lgvg%UNs>8KxC*s@Va3JNawJ(({?^UmjpOwLS zaTY-q0UHKg85|spH<{Vx@8_q*M^X|#J>98OlV-Lci?zO9TUXcbLM58SHw_IIq9fkk zR~Q#4+!YV12dvNoZ&Pi9&H=VshbTcAzVy?lPZ{NjAZ(+#d3p9H&$_N70Ip_#i;q|< zLLY&B`kagmOOgJsy21ErR_W0(BO5jGjTRT_jV3zTdMUt(!q+P#?SJ(f70iOw?uaN@bUbWyflXdl`Pq(O58_NDQNf;Itb*6_ws3}U~0#4}K}r7t^) z&^bN*@_mQEXW+q5Vq}v`ar(%8SXl^C1k-bw6cFpS2;7q}?k@fFEu;-=ycl-OrTt(Q9aozH018MGPNCB5>tb@1S--vLa-Vzf;lEZj!j1X7)CmoGhQCH`%^ zSwfk+HkF<)5&&^{S0fqAHtd-_12k@RrLn@U0r5=HOk`rt36@UinQh&pw3C1QexKXl zQXW@yAcL=v!hld;_!!p#Y+FJxdR?3pqyxbip-;foDg4^{dM|bZ2*dSM>L}7{p-9ij zfR!BisN;0bqa5x+6KyDwwKSh^g95f$B`^ENa z6884$K(?--BHE2;E{DTFN;p7aq{AFDjacP@=?h;XJDdhjG-73%_Th`B>m<~aT57^F zQv3Qfr2^F=4uXuC0VL){@fxZJ$x+?!XcoA73$&1kbPHJsx+c`D)9+uu?dnS9(1;bZ zd}4|3=@9#|c9Za)ql+P!_OXS!9ln{E7_V$5dMg{p`?$2K>5f@@7D?KC|E&c`Do8*} zw<$2L5$_KfE+CqfByC9vn8;2^m^LLexXxX>&VxcoTQfPN{Te;yN^ESZ4H9&6&ZO=1avtnJlARO;y^`L{65PdqVS{q1($?I8V(T}G$E z4M4^=Y)B9(4*}sX=p^Y@Wq@uPzd6!1WgKq4zv#aH|H_8s^(#6mA&6B+BoiWI&e2K! z6NQOu1P?6AINB-809+esy12u{I60>u1_B<$O_x*nEV*($uu+PV81mX9%>ZLhJYIsw z6f$4K3Ox-CJo&7CjjeS{)|szgpWoRp6kbtY#m^WIc3CSd4X`kPyDO980$qE{#*VsR z^TmI_9~kytB%0P_f`X|1ofX(tpSyb;=0oO+I|iKoJER$FkVGD&rq9>cF9Y(e&w=tB zhreV1fl=8Z(6)P+$JHOsa{)O(<&bK3U>96UPW`}wEy$C_lA^2hE^&oQeBsq?C5bgs zlB}qL=}JJ53@%7CyhaHfYI*28EffH8@ax3gq{oNPte)Wf(@zfv4e%LPR9MD+_O3#Ls*g)Q2C!uP$^>d$;J_i&viwA_)pd?lW9~NsJW0Kdz}F77#{Yt5!|cy8 zMST@xVMYM_2P`>^9Md`gjO9>NAj$Gw(-E{CCWLNnYDeO-AA%`d&t$+p|I{*^(m^JY zBwa1y`;&nkADryFs==Ds+VFldqhdl%9ucRvp+6jgv9yM50@hbQ9AdL4M86*>2~|6k zSHBN&T}>J?>_8|+;*H|eJwKr9Ea_--7k2_zk#V4OJA&DLlnB9Y+!?Y9>ogX9Qr((h zG$zNSC-!hA-#dQe<8#T(#~QO{d8aXEWz58(*~I@{I%Bd5gwCO~O0NPZ6zsOd%t@>*F2BJzDv$!-z?pxF-Xp}8dBQ@saCG>dtMcK5~& zulNzm{AL&otxV2SxPCQlm<$jZl&uR8%b-H_+)Y`7${onG96G^da_P%#Qa|D)V61ud zYUw$vr3e1FfRGX$WG<)M6Vf4$4g7cE!o&Eu7mINK>WXdYmadjiU;a51DOem*|-RY)r6 zgw-I;Ef*Z`Hnt~%R52k=4}zoQcRXx?>Y{B|7w$E@_L!OW`u*gt{h7qw^By=}K>|d$ zMT6`}0<8!hq5@}244v|~I#eM7Jy~zr;TJPgpWnpk^t_9MYU-c>P{NWSfx>*a@~~;{ z6wVvS=2o~g;>VvIV@m=AI|Hyrpg=$Z^Rp#*G$Mq1;c%ghPA|h`da0mc{lsW5>DlXn zzPj448F*G^ogP$}1=q<9%KQy4G8VxxNVM}|RGVq+I|Bi!Mj7^uoP;uMu=nsvjKMcQ zOwUb3%+Kb?Sr$t;@0TpGK6hZK6txN=AIEZ@t4a|7XyvB!@WBJG?DDFrs9VcIL766t zcW1_MnzDi?zO{YJ6)rvakvU#MWBy^ZOnmn2Ot1trT3?Im?Tb`mp!_n7#FRHUJuc8WAtfp$)U`2tMiz$DIgOGh!f! zp2a}V2gJL(L4!pn`%!>N+PX2kj(ah@rL_dVb9|X{1f^ia4Id4Woef=<;PkXWj7&aF8 zzC`OwqD0CYeD9N$FQ@`&RyU`SBpE_*wa8Z?eEzNd-n|BvuDf=nNbY2$rA^5m0+YdV zzwg&XmkoLahVU_!Br71>nzQD3vik@4>nS%quuFyCzwhd^6)5yjLS&R9P$QGgcBC>O zh(mcSNi4EqVDg#cONOYMB))MN^xLGF5PM{LQ;YAqhe0z{ZH8 zK}D!QV(gUPz5A!1h9F7E90F;vB{~2AkyCCg8U#UScUt}7Gc&QZp<1K|hx(j3zG;!L z1HVp4(3O}OkNwjm9M9)`?)Wh|TV?xAXW?(jb745iTB+-H1cEBCGV$~PB&PpU2y(0@L1h;p=IdK_GzmP^~1$0b$_Q zxH)+OqWxMQeRcI&G)U(7vu0*&TuSNVFm1)e#)43dnr&vIkH|>-{Cda)z}aDW49u-8 z4FdBBG08+W`603wc}P3LOpJ_l9$jO!o}YlW*#DQ(u8&o;84{HVb2uXHIv5MGwxXqz z1a^6r0Iefwm~T{4=~>CgE^uK!Xm{uXi7I&)+S6VARb)6SgJ13=+!exMnCqby;C&>1 zwVKjZh)l%@5ENiv|9*0+nv>6I#89K{fzSo@n=W z%?Ds?K9U687>h+Dt9RiTr&o98H}t|;o0P9=kqOv_S`n59F`)?Jtb~X{=@W@+&lH9w zoUFqnjX88|_+vD#4*@xyK7HSvj7>Plymob+wMd;_(i^pbtl7dxT?}8i%dRrJXAMF<-fWTm(zn53_ zn|Pw*b!Ypx7*`M}*pw+d5GQ;6GhPJbNK~mrgoL)YDKvDEbJo^#o;Z#oFo9@2}J4Z%ae?%!UW2K72Vx@%eJxcLhwvS#W*) zAkYc;zL+M#Z|`a&t|nyP2THbrH`+qlGDlkw*OXzr1hQfwK7LM_6g^d_a1DA&qC`}p z5NZqQJujhO09t|OAN^YOmW#SnrxF$L7;tM`DAf4v&|MNCM41%xUICl!Q?dujbtF9s z9GF0#>B}H;f}(#v^hgLHvkbuOKIYnbh!HV;I5x_QMinKbaV)iWs3MvDZf?1Z6U3hk z)77pj6)@U#%so_Yeqznl({O&)SWTHR;|#P=i`B>rK)IBC+H~xgnA~*L2RxxuY_CeB znPhaOrzQ*x4LMfPz?|U}Rp0sch#k#@@FazY z=l9*f4CT`cL86bjBx}#zKYm<-fHV!sqSdPlu@i2!1cyXy*-F=jG5+AecW4RYrHQ@( zA$e7({NC9fP+K_-m4ei>kQna0XYNDA%?R^6mrg|k(#UgLc?aKDwC-T&dq;6-XecQy zLF@0->&T;-(<)xPNdDUFE^0+s8|hIjTOvFmd3a(`>7rA5Ac?4M> zg8N=5hTX>Ziim>#QIptALv-n$AGrP}I!I49Zq%~+WvyLwxzW9s#OftTPepjFj~Fv0 zONuDDY?Lo51BITYoCED784IFNt5)9Fjv(1;O_;oixXv{yP3j|>UWPL`0Ci9;+to{s zJS-w)5xKGbTtJ!#jBdrongOGcNMNnTCz3G^@{Rrmwh3;pdGj{vEAi8WVYZ0g0dVla z=k;dL(VUvI0kSbDzhgP2+4=c{=<%G?ZL>pqp)smPIo2hiz+kv0Ou&(7nXCRg^wZ>$ zq%t4}X0_2q-kW+UknDr$r|t|my9dZCp*-bceGR@10%m_4c!wkb>lu!N@9?IOUab{z z=)v!i7#%rgkyg1?*1W4|T13lmea zfDXEfq|W^s$0i+`J2XxZX>fl*!y7t)xqmD7`nyt+Ddy80+e-Ev_tP*JoH%i|Wd z2SYnpeUn&u2&=bIO9UnU^m3Y}rY2I^-mI3Sao5dxT{<7)44GCdDVWD(ze_h&&~PtI zz=Xwjw8eNyX`Yg6H9VTd_GLKq=bMU99{osB_v}06fUHp6eMn-i#MR7!quRQxpGe-g z5Xs{bvc{Z6<)+aPCV3Cf&6QvjLjUIV)`~FVIZ$EK5PWtK8{ARk-Bhx==|N;^5H;K^Dg$kcRz~2EEaXhpbwM!w)OAhiUf>9+2pilxW21}UPrH6)SaVjg?0jq$rk!ZnHqv(FDgl;15$eRdF;vmRIFrhivz zh4Hh}e^~4>yoMiW%g(^Ml4j_zY^YL_Uqy#!vzo_Sf$CT$?QLLNi4bTe7i&nXCUgebxYat)pJ-< zSfQ8V7j6LR1~7V56`oAAfAj#{&GS~3RQ4V9o~yI{7W)eM_?bAX1%f=FC!2Jh01by` zQ7FN^w=zr4hM52c|4us6l#{^^zkT8?K6DLp}Veuytk!f|vcMyy{4Np+>)#ju|L z$pZ}>i;kF&Q&!Y{yR-Jp6OI<(;aUiXhi4e>nOlMMs3jFp2_i;0;`XES6A`qZmH-|! zThiT~L^$ApnJ;0^MgwZDchnk!5Q-~Z3-sb_kGnPQ$q_NDrb$)Lfi#vOv@4>G-=gDs z73f!*GC4W<&NgNLe<%+5e4YJ8lUDexx}#yy-Mhyy*at7}A^i)YDn6nUhIc-r9M1SK zA+j2tL-Am)4;=tWG`J}s`#B;>{2W~lqq)T}mQS$BE;uPHjRd2lDxul+@$`IE^b1ld z=?LD6kkOzOE0f}|62;*RDD6;Bcf*a_-+{Sflm?B!CA9p z$r5m8ymnw>2=w8%r>I8|BN3beLNWAZHv}Pe(C|@Ih^c{TBuQ6=#Pv|&Fq=8T2B5OJ zL{(Fok)O|lPXiMges>K^729F-*geq|xEXvT^Z_XHoei}lQj}9jGAAjg`~bpkR;c$K z#3sBeO03ukG@2!QUQvPNfVeb=&%A#ry}av4l?U9<4_p%twCrnLyd zK@vb4X&(hu+tiBB$$azvQ?1!w?#P|G`K_I}35>&uhIX`ov83=5Lx6MktQ4q%m4sYz ziO|qdl{gHT>XCH-^v$r>7LHkWvJNiA2;0Dj2zrHtq-Sf=Ks+u=IQu=7la_`VETbF* zW}`P-jyKTW-o9%-=2Ta_U&#xQD;U^O*C)YpBVWXdvzP@%a6h)_Zi;THtULl&PWWRS zKVe^A0{ld>1KlUr;+&D32QfN88T4>G^{aShaX!+zRFBmeuj=YjbyejwrCrgxix)3q z!B1H${HHgN*r&8=M^I`H775xZumBIZW3c-N7`dh)yf%T50uI|@frf*L9sn|Tp3Mq$ zcD(N#f*@nmH+vJb2tEl1=H9(GC`_!0rZCBx34&x%KDT4In&LO#BM~qPBn(dPfKekU z=~EYaTSPz(N=zX{aIi&E8-)pCp=A~KA_*M=pb1#0>@e{cXD`BE5mi0}Pu#;6fH|q_ zxpy1erzG_3y?L7*h`0D8Z9C?(jqQU39(GW{YfS*lv@R@+<6{j?#^P!^lr@k+4mSQv zT!kzHP3Tnh!>eAtyvE6CXH8@!%HJ&#`d@5yLUL#`^2{(@7(7MkE*zwjNLC$9{9$07 zOF#6`e(4H%yPir4<>RemLTwK$X+A{%Q4@TrntvF0P)ThQJ@F^S5Tz;{AUryMa&S~~Z!$DrCNiia)ShT$`s zis7Nag@{FhJE~CZfVmp3%>qQjYsV~gmMs4yB>~w40QwA`0tutxoy?KXdrCUVDg6DA z)jh*Xqd*}amPQ**u7`Q*j1a7(QAQVMq^|*6Qfg;w?Mv0cT> z$)9{d0-)w>1yhvGp2$~$-ScwkCsHm+mNWaM*S9c=^WLaP7ePoxmK;A8mK=D2Q(Z%I z^M>v^-seNSRUv9!iLth(?i5Rk=Fzy~)Zp)W3Qx%So~Cb6h@_9&Qb>Z1m?Y;9mPBko zHx>NG7g>VX)MRt~`0^p0rQM`+Tw-|jZ<3Fnvl=*BUDWbpmyU6BES6l%D1%+_J2K-I ze4;@-hP8^1gRo;9i+gSgZ>-1U`0Ogb9h55e1J9L(A^-*xw57d*cz5B^&FH5aAqh&v zK=*i`0&kM5CUjcZ0`D?-)CZSMRu=4RHb@00Bp+{dQEZDJd$xB8kg#dJAtWoa_q3$+ zEvSbYS@v!b;pnYHe%>g$G-k~B<=f0RI`HunZ>grEV??_4Hxelt(Q0?#Cl5WV=S!q0 zmHGGYXOuHV&Mh~=w9@4ZqSgb^jOzYr4^qR|1LUHr&`kjl;k6TIm<-EQ%gO94s(f8t zeE_B?)s*~t9h*t!EB6>`b!8`GCgLTM8G%t93AbolTU&e~WAnwC^MuUPr$2%1?QV#L z+2|Er4P;B>+Dbzx09P(TX2cE&Tn)85{J+BTih|~1GKA0(mupaw2ubt5Dm%(9)+E&5 zE88*Bdud(Y6h7G+Wv2wp3E>ueLjTes$m4dvluscE{;6JdLz6No%8?e860L4`!~Ury zcaNSTag)*mrNMVMasEJ;>>}&Dwfs;xWy7LHArXvercXpWKRdnD9)EeL($*hmCSURo zXrI0Bq9_Hxi6*o4(Rt?#no8NP0`7TCA_eY%+K#wa%F{&)7b-D5*j1_EUOduVyqCIx zMq>g>lKJHT7Nf&vFB>5FGMFHCN2$t881pJrkH)GaG$gGYUpyHbg28r$i}9=?Jv{s| zbjXkkol9dN9|6`4WC9Q;j^=cGtl`22I&U5Yij5d4jPd}Z2`Apr;H;0eTs^?+@oa`0 zQNbq+G7xBt!Zf5AM7VYo>dZyZ&NLudny(%LJ2j?|j4r)(r?Wh1BxjN}vJBgVqTRfK zLqUHah*jaffEC<63M)b(Dzu|9acdR?3?G*eJK6U79=Hu!Qn`ZK^bEu+UIi; zT*M*urA)-(6!~wqV}z92IXZe2IAKU|Xd?#+213jrL|gjAarbW6i-3J#cyiDuvFSFc zrpuO9gZNjtN6uPV0R_qy(@~uWujI#MGCCrj%DHPPE(9@#+sG3o3|VdBzy$^OL|(nl zvg)ZTuzF-n(4VgM&uxeCe@n;xrT_eLNb-LTU87y`=j7}EBi4EJ_d@H68x}Lji|ba> ZcsZMz+$m2t;J0J8S=gB8e82za{|1RL6tMsR literal 0 HcmV?d00001 diff --git a/assets/ethereum.png b/assets/ethereum.png new file mode 100644 index 0000000000000000000000000000000000000000..607995d4d468b171a50481183b04ddd5e392c605 GIT binary patch literal 38170 zcmeFZcUV*D+C8jOWQxMr01IHpLY0n$=m;uZ1VKSSKu|=Q^a#WmXQ(P878C@=2uKl7 z0a03X5FHUjN~i*Y(h}(eNJ#nC#+fdU)n|C+&Ba8WdGqFf=5olu)xcouysz*Y-Z}q^ zdGqls@^d`><9QUGe>VT~dH6Li96w9&oOloMvvU5IbHC5y`KmvjU%~Uuf4qnIB<1;^ z&0B=uH}SI_&zIqM7Jl3!K7Cd>o)eF+=KkAa`z* zB6W3Zoh8z?4*aTcP)^(6!cl+22G!*Wl5tnoJ>q=H`|ij5+g}xbqy5#7iSPD)C(_JK z-BrJ_{Kc8+l78vo;m})3;j}{wYGW&G3Y}InVlUL0?NMFe*lNBr?05D=GNnsgFxFcc z)DU$l$DztK*DET57Vfx29Ek%e5$)GA-gTuFRGHH<l25!_n*a41Ki%m!ennY%=$6_q(N*7Pf7zv>WEatD-Qhdl z{QJ$e^Se9_zE(ZL=-b!Ipn8bwzq)eRi7g>RGvORc3B#~03UaeNT0uL8I$2CD7r#yYNgGlS<&Z~{*#LJ57*37-d&z-dH5GKfO zuhTATR25Vel;rh;+yb_*)BR?R&go;W+6VOZ{Ba8Wi?r^9pP#q3qGDiRphBREg4gNe zippAAT8c{B6}NAf$2;VGgFXEmgXBGZ*Au7sbPhciU+2?q-hOUgo@H407~VR8~+@^zcyp=OcXm^aF5`Kfcia^$1_fU~d=2 z11`Q^{->Q?^aETx{nr2UDULb+b-cI#=~Hu;bIe)M<&=vD-s+1_RsNTcB$m=&M-W4B z+|9##?kEiQzr54W&GjFH^)KIz_{-eo{PP#V;eVa?U*7%awa>j7?=msb*7I`qC%&G6 z9%&u%`P#?4oZXIT&pqAlqM~|CRn1vm*-1-HURA@AVoJUn@yQZ46v#R_t7Y$W;RV_^=c}*oJb@^k*v@|pvHC$Aj z99{nD6lSO0Fe@ET{qwgXPIU~YQc}UYRUI|uot4xOIUF@K<(-sWT;-Kq)HT#p)zwuU zwLYEdn6vgCuhSlmxSehuj>laTy*-c5eFib$+Pn4}kk)NiQ2NI!`%gLgx#9rQI%79a z|Db>T!P3pc#lp{#7)@mjWepW|EhQD@?Mhn8%4+|3la%8hiWAJej%(50ecHv*&+D|Mm)9xMy1&BdUw<~iaysVd=cwoC=Yo^|6<{s@46yP_ z2(zEQK5;q|uVZem!T)dXCKk^c9lRg6e4m>yK0kQwrB5r$!o}y)zdrr*l-t}=TC-+u zQD{3lf4T%;#{idObKeu^`t&E~6ONw8T@XF~n67`m?)HC~3QFoKF6xdh%JLe@n%m`7 zHC>$KwKNg=RkfVdFqJfww`*wr>)Cz1T>SzaPrK|oj&a0TVS3J`o;922Zq$~4eRtpq z7ve5pz~q(G<(0PoF<{Ede+-!79~Z1h#Ed_$SV!@HjET)#rIf9uWvon8MOu77I;{;fCvcXs`4 z!}ZNS=#+~mP*5Pq(!@$FJ5a5!z4smVoj32>rNqztc?mZq@uG;Ifr-Azz=F@jwZ7@~ zE(9B2GtWS8mt|1f$9A_P*LsVE!f#i2?OE}~vsFu%?b_)xZ~6YlYb(;?!9*2gm&Kh@{wyD#~pY@1g$^f9`Lh%+S8_;;)FENyx-jCu!a@! z2iGS@387+v1^##TDWMT8OvnG`o!f%{Ng5Mxnfsg4b>hIeza3Tj^3T70I(Y7HpAP=? zx4DD=zn(ZuQ8a;hah1l!%CeIhFP}QTxG2SCQn`b7yy*Og6x|IQj#Y#&>N}j$pM1u% zIoFQKiCQYF%b#pua$ZQE`8ZH_o5{JMay&gXb)clP-HTpUTx>(4er!>ekcb!XXSelH zIlU5rfzx4p?v_4>Fi!8IN178KMFzVk*v$@SD3rE=?)_F)>dwy>){z&JYmCN z#)O2z5zRAGrz|b6+`fI=u(Pt#rTw8t-(g{3SLpQnSh7{^i)YX7+Lbf~IP4K4P3{i} zct{C*eN)S~|FxQ#aOo!F6CNHe8INpKr8X5WXqcSz8*XK6590-OP`~%1fB*gW)erS( z0$J0W8HIxC8!9ILW!6`&T#0=Cb5D=cs!)5=WSzrSR!#n|Me1C?TC_;5yRW*s+R}KF ztZe%v7a#1G$yY!AdUfKkO!F7yUPwlN+wIVP^>m@hqvGP>w!&oRI58)M0W6UltvcTeUIl5ePcw8d>ST2?`wsgPl^Sd5tC$B)0Ltjz4+dtP$w zNx`$IrRC-2Km71RG-rJLv^oFRUw=J&b{?5buHgP_MiLl#{y|l#nRE=nsRIz6PGuc*gQOSgCck-oAS2oOc6yeGxnY)z)>kdJyG}W zDOK`*`}x~DW+|S@73wM~4Nspw9oYW-!m8$$mfw$Zg)4MJf|?&s&rS_B@MT4%bu#j1 zu4d|UWgCfsv5~lwn`_!wOWf*0@^Xi6`s3N*lHI#^GZde`c(GUYx*@c)o0>k~bInp^ zQuHdn{f2l{k1A0pl;~)Y1q-rbKZZLlTei%v$6GVtq;DuEhuXXq>?d>vJ zr=RKYCkGq)TkbnEIi;mK6-vMT_S>=vD(96$IhVODlz;r#vB>eFj(~QLqK@?B6w;Zg zy4!mh6Grh0cEx^fCr)HI2`=rG#*o%Eo0*zkJQ131lIVK>5QWW5yI%YHwKzkDL@9`m zx8Aw)Y&tjGQO>5|1Xg8q_pRL#4<9~^X67Ave7fq&mV~MN0mmy_w{1(*^r2D8A3r|a zXhxxMZ^!Cx9Xi?nI!Pc9Y<-zR6$HQebr>_)Z3;0URP&s(fisX`OTaC z=HxHG{F3I1;bD6Tr@R&~UK}m+Q&x7iK3`T=HijFoP#zmwJL0XG(JyP3eAiz%5O#Qm z%Z*;pz&e{5zI0Wk8RxrIYA3HWamU8S)H}$zxe+p9LEXRo%nXLIWzMgRk%%c*Wgg(N zS+Z3kUw%nKP+&ULCYm@ot<&IdjSF+XJv%D$ALWO+r1WV@4)i=(a)esWpK5<0Lp?&0 zS+%Mpc*2z(a^OJyV8b28#Lqwf9PT(d++o|m)}4OqD-$+ziz0aY*tedneEP%hLT;Y0 zzEL>d`-&LEWV3zyFpS^vqmVs_cP9+TtIDic(fao7-OiApphuWP)59IhClEt1=H5wf|8hx9jqsHs{YYuheTuHO zwhgO$>dkI3{%D05la1sxTeU6k3lWiRef`xp@=vvH4`po`B5&NNUyz)cnTaWWur}{- zzAL6@>EsGy$Ir(nCiKr`W(0MWhZgqvJLEMsW?JlxmChO2ntJu~&py*T=VoYVh_A|Z zs0*crhJ@(lJ0o5nBpz4O*>NHo*|v4-!iv%9Y3pi5+lR&ly4$So?lUkjudPic&3aL16AP&RRNi|T z=#U(T!(s9fu$_MU>1$?iHiI(y zZWlXb&z|S!SEw{jC@U)iELhaOc<~}eR3wvt42o1v45d6heGgX_5pVnU?Z)G$Tajfp z(*s93k-@V1n-R`kYgXF#EKGmYIr*{G;>rlp9d2T#!mh^Hl9G~vxHQ)LzP|J`p#@F2 zxy0ktDNCVjO-;?BMT=-;a|ee!$>F-&5lyqb!^2@?J^G=n*3Qn(sIl+O_s%^KLIxZ# z7+W?W^%Q!VW;3!1!;Fp3H&whjB{pKB(V^HOifMgZ7H=6NG?g`_(h7~ z`6{nvIsJQOLO&qQB@-dG*q_xnv0}vv8q37U$oBE+w1|iZCqaFh5kLWxv(f0Qf{jp;^I?UT59$_qhpo1bmFVaN(dqGU<%f zko9-^|$iw6d zX?@_rms-eN6V5W@1-p=T2 z4wYmMJ0t}9_|&!0huQb@^H~SH?87hT?zrB=6<@V#cJNNh15si1B8|7+18>%{c|U!< zH16_c#st9I9n+)(#1LpHD7@BTIp05|cW#h0{r3Ifpj%uYgZ{g4$VoVPhdj3b$;~B8 zmmdCN-&hyHIsOJ9d(S}B^#rZ3kkQ(DBhjaDwNB9fE6BujVyW4ihasxduu{V(<3vPP z&j8473x9Eb1p!UXg$Tn;&g=-C`u;g?^>i1N+I06YGuV70+;O$G-)1eX!zAkDfVnyU z=b!7d^(|hF+)K-`ayKxD zD(52pVj{h%1~S;)L(lrIbjsx?_0zZ=#r_uL6$>lw z6%}b56k;LU%*Hp3FtX!MC=ETcHcd|uku=TyI;@H=x=2R%$d!?flA_IuTuQalc`&o6 zajYC#h^1wtU0_FAvW(Kvvl)VSPtTe7Q**4cH z1qE6umVU5jZo!JdN<#??O1^jKW$C{9_&*Tre?)Tqems|3EGjBDTv(c?-Apelv%BKu z;Zf!{7)LQe8nDX}0!}tHS()26Qhj~%3#f^?iW_Z0I%=(D6Bb|cOvVTxp=Uar2I@QE zqphu-n&{vjI#|)(*_m5dK3q|Aiqqv7bX4>Hd=Pc1v(HL{CklpN>c@z?4Uv(Y-G!{? zJPEdndy||f%{}AMqZS=8YagHc863}!;wUEaxw~C8W?&9~18^MEtM!4tB{5fNT;e!} znTZLbm>L%sr^h!2m9!)Si&#=SOM^?5*B&@zSp`@(F*^G_O=EGhh@zsR_S>5SIKZBKSNMLL6uO+pi^lf zvbRahge^HBAi&eplNlUS>Ez{=muyXM`Bp+<-}Jepq$CQzug|q^iNS1qF1<0$C_YuF zS3pfjNU*WBEwumf^5x6<`T0(d?%%INP$YG|dGn^TQ-S%SwY3%KJCy9_=a(U&xNV#J zi4*&~$TWUaef?=HW_HNo!#7U2w6(Vz85uEH)|QrjPUJ_AAN#Y?S+)!7`kL+NSQ~!2 zN6JGETRKd4ZyMU0g%_^Sy}Q3h9#4fWPWKxD?8-AnJi!Lf|^dkq2 z9YH#w}OQc@lbJA$F8AXo0&_Z@?L`a@(!7!c#B zquW5^r`hb~46hR>9`)58bu`~1t64DnUPd_69U&8t#2O-i1ozghTQ;mb`!Y&>ssWcd zO`wvl0yhg_1_}{Hbo{K1aN`4p-@ep-H?0*iZ+91Pqt{(4mW*IDBGaa zZntt*RL#-*hjd6JH4o{!O8a1Yy=m*Lva*h*S{LH|75B=@%CfSuFn&O#TRGRRU1Ks& z)^%ULdUa!43N3M4hfY1W*ulP-)!f{yL8ND!#F1x?!yi9FmI$ot?(6MMyPlVs>E`Ka z<&~bE{@il*R$<}6D`bDBrH4ljx1uG-R>NF~Y$P7j+oovhXzmt~^RlLfFV(pSGd!BV zTI;l)r55ghUzuXrWZZC!e?WlM$Z>=RS`VO|l%0X0VRY+)q%Xe}hp2`qW3F=e@L`)~ zx~)c{aP0sAu+u9I%*>kGf{z@z*%XG9U()D!y1_&vs;M7e$CFJ7I}P+bq}RwX{g%|tV8?uMQ-kb@RP&eCpLjQrEvIx zo&(v@(J`HJ!|=-m3m&`_YKYjLvf=M-d42zo9GGn1<4$0>95$cF(`(*Fnhl!D&6)rC zg6k*Atn``N54Bp`+uh3!L*UU_tey&dPAg@cRAa1R5Favon7hSt`c=WwiUo;0>fbV9 zp}4{5a4kMQyI=9hqwfILl96iwIN8(FfdK(ceqYnV6dcM!`l?s3d1LQi6y^${xZ!(A ztzLcidTmY3at1wUjAlaKKudIy+=C!BeC=&V$C=52Tb;3!OHyYKTk=4I&CSiZ;&*a# zOt@y0$${?S;ao{wD4cuuMr4FRF3HZ$Hhh3Q=a>IFg-ji+-&movETtGo~vl#Kh!62DKxiomc{VODn6BWe)YF!xj5&N)h-h>G$sK z_bWeWZ4J&CZMxN>)bHCE!yUPW;o%F+YZ1_;9?Gex2I5>MXA>ri1jdQqP z`10jTTF>C%AdT(g>${ZERqUVLG|R|IoQe1qa#B|F$TL27xMXBmOmkCH!sz1HH8pB4 zD;{~YtDE;D7~%lvGnrNb0Mw@9tF!bli+xdsY~N_+>Y6@> zHT2m4t6Q?LK)r68>Xc4FWAztjG8Ji zp@;Dcrq=W8w6wL`fVN3q$B)Z?lgM;6c#J&nCw#)zqdWowYw2+rzwjUH@@sm3&GaPH z=^0QYTn>}-@S(an|G|R?xC<3Z+^M1LI5MUIa7t2=9SD%2E}7h=v=I6^!v2;f2|F*4 zMXdjQ`}P%i8p>>7GMQVqZUx{S`uNdu9Bi_;x0g2S?&T!|GA)^#nF)5Yjg=XcuYE~l z;qC%KeTa|G7%@NCkkJ6=%KMK{%F?qG+jOkO8z6p?sN)|DpeC_H&YUTsJi2}RJ;>j| zu9SM&vFKlZ`7WlC7Id8lHpjfG=umztOT)_1@z!PsE2}90*en^*y%$$sdbmM*A*QeU z$&-zB zz|hc853lX=a$ASq>}))T7czp7IZUW4am@otmmw_=ZVWneCcD|8$TKOki7YQ~!lLZa z)7xiT{Qlw&?NPJMVY)mMx6F^m6O)q#Y(>ebk*>U;`^5CE0$NIMTL|s2v{jtI(%f7P z9Nt(Ry?mP<`+ZN39-EMq8zQ0x*0cQAXlOL|4V%x!#fpK3JF%O|9&H7mi-_Ly6juMb z>zp3vAT;(PkK_Dz%g%5(N!tE~T`YA?%@)h%Rg#h?vciUoS-A+OZNq{Un%=)|?us(& zNOxlK0~d?R&8JL#+){NWIG8=smEu1u!CD{M{2+PY!`H*_*0kx=?`lA9ux!qrNipIl zi;P7 z=8!>Mq0n4C78=UOsNJ>Kl9hd-bY3@|C-`@s5m*Zx9;A(o1X3p^cl?o z)CH?&mtGlgT@mgh;04#QleK&yw&=0bD*cU|4*@*>z z6v?gO1D1#_GX6z2i8%fUsY8Vl;8Eg zEUlZCmR3(*jJsB7v%CW93n*j>qsS%)+?g2>o0peIrwjdcZ-|Ru4QNRK%zHg_w2}*1 ziKWL^IsSTcQ*Cv1BgO2F@r`vhwV0vi{CoHAUCh-h)}3PjDQfQ5G6dJ;ZS~lIKl<#3 zh6epl(=GqO1I*ZE5)u=kFBuF#1vcB^-q9bLTn|`S6b`4jyt)>}JzRM5stH-qBHg&I zj4G~Zf44K18^4zxJXR^8H7yW+6JuEN%!~t^iaaoX{(NTFKqPaozCIv_7AE5W_os-6 znDO1=3%fl;p71=&IeiXP{y|dSNQ6WSEyuPJPUd32Ea?1y~jeNUW zz;S+dP=!(>-J1RzbZpD6re=#VdgQz{X)`hEjdYjqq+Z(yZ!d1SDNUk8PQ`+bW|R-m zmkwypkjbcC{%7*R0a5j~zyk;3C^NY6C4nPWwK5P78jV9k%bEnWNju_GQu31Xva*(_ zVNBOo0b073JtlJQa}+5SRYXQb)e-T|-adI?N!6=Y`fRWaV2s8I27^)0S`P4G!!nxQ zjmZbXZStTCY{cxQ=B;F4@bBbZeSLjRO-+Gj!0rsoA3mHi6s`jz5|7dMQAxo{w;``x z`}FCqK^My-M~>{@|Es+gnJh#V)0(_G;A6{LkIuR}WnJCQ4T%oi@v7=-KOl#|Af|40 zc2<@if36G%o9cv__c99JQ>+gi%J5%Ah)Dtm z%HT$GGVU#n3sHo|1)Q?U3uI&+v>CCsu}NqWpq8e`Kh;)XU`cH&aHA13Gk>rjaMjYU zEG_MUiiuC^Y-kWP1H0Py6S+dU`1Cak$*AeMmHuB?syhb@;Q>8Vt(o8!G)DUS9sV&30{Q>!9nyU9B5d zANn!-UZf}`zOJHT_m#lYr-6-`7}5GH&yfiAza(9N z`vYVmMpQ18GJMB_aS)lvywP)%Ug%I@0Og^x0VADu8>t_Dzm(`%Y|zC;70mJqM)Kyc z{MzD9AP_L)g{#z!EmUZU?vl@eQPx!vDmzLhOg`puOjG}xTf4!3n88T=1W&V-$!4rv zzC0~i>|5etQHxoL;mGbs&RV_t3)$|eq4pix+IsOiAa+=c85?YEZS`4)QK{O$|6O07 z_~OO4;>cmVM;Q~~-30{&5K0$(`DNyZz~Q%BvK&AhP#y+i2x^hm_S;v$f$$y^6T^_n zMW{o3ibCQ z86P$qZ2QN_(aF)#fi61TiIDqDOiY;U+M8NS3AO(o$#38nM@c42g)(`<+Pc}Dyo?C3 zN8F*IZ@Srv6}xm9P4GV>YC&fnQi(Yk zER)7fdgKDdKgnqfDXCnMBLRL?=$Q;Qbz+FDrgqR>2&P_tZO?_3Y4*aWA~MUCcinS5 zmm!4c;%+CD+7WQVjv7sEIH-5cl`Yd}WK9>g@1J2|+nc^g01 z2RHrH62HUXk~D8;=l2&hI)5*2{enFrTC+u2+58H%`)7%VUR|%b4wc=zu2}Qd(z1Py zek~}1kYqrfZc#-cur=N1X#2dZ;zq~%G+qBABK#ein%7TKA#}8JN7q!L1Tyi4f6nFD z*Ojq{;)<=YkR^bFQ8Lrd~d6dpBKztp^V}PvW^tFm1 z{UCaxm^9rHh!{%hYHCWC_Vn_iGBfY2UcEYe(W>+~#B#2b^!-&{rFE}f8Ep)P+6qtr zTLbXuRgfDKPtRe%u4VD62(?7bI;p?6m&9(g*c~D2@8_plQ4u!vu@x?by6)Qy00@1~ z-Mex*iZK-tVlnn5Kzod0-4Uq!Fd{HU;wO81KpbpRl6C~T9zUMlf15^ga(32Nd~x>d zS>T(NmSZ-DEZc7VkRbwSWIp!x?U6y3w$@fY+!j*zz69{AFYa%suP>OAS-f~{$IZaE zJ|ffnl&=>pTAp+K5AgZ%K-Zp@)>bJJrE!DCG{f2fss{KF>wuUM^4f{eO{nq~rho(m zWJa)lzqFpl{#r~de$lC)e{SYWE68mve3>#%R1!Jw-n~OjtkO&FtZ?t`y|LoGh&L4o z**E|kdnUj;RUJo#ofRDp$Ge{If_1#*ZjXLS^Lb)kgYH~|PHp=iHa{nT}=;fn$o zc`WMWTc9gAN`C$I*9qeeq3o-E2FU8VZuJ``bgXG?hz2QyR@muu-x#G$9f{exy)seb z=S0LVMn@kYs&{y>SX2~bX(8Z=jFV;E;j1ivgZ>Lg$wNCNj|Rn>Mz1s2XoUtd#WV`_^K zsIp+{a$FpMXQ6xZ$)V$w(aULJ;_^0)Y30$rK0d*a5ZNR;#!;N@3vy@9fA{Wa4y)nK z8}FLhCt%hVyeo=HZ}d|ny*tjp=@lzYs?vU^{jR%vZI#FuUoU38`xN93* zF8?zR(vrc5cO2c34rZDqK?UB+5YAByHmlj)uGXy~{l-a>7(7mF3bX-z{*`Oj0+J%K z3koa?GzrCcmhWsj%S>>!nUw!o*d!pV* z(d{1@&t?{7#s&)2fAYv&q2i6gmMu~G^NN3*Q|z1(FFA|X@A04(%Z=Bm91CVMy5k? zs~!gsrH+gGcW+;xsHD=bNLgDsShy%=qlBKlnXo!B!=&ZKjUWlH=uEZFwJwmE8t!Os zYEpNtmaODSIE0vk*k%z|8QR>A2F~J6Fub|^hMTo?$&yAC!&BmQOEDZw#oO(kB_=-S zANM4m8D7l3eCZMhu%xtf*ae5vL>+9U(zt{E`xmhzZ`>yOYUIZ0_X396L{*5w6nkW3 zgnsntXKZdqNuUHnh#98G2j^^^3_AfKoZf#E=0E5RD0ALGkQk6o7&8E#pwk1=B7p5Uh{Y>48-w zP6uHpMzK7DP*LvCXzR9YdHMRa=|*8kV3$E6>iWSS@4r}9fn)q(rfW*<9T_2eb?Q`( z5(X=fL3^S~ED+3&phAB8I_gCxaM|Q37C#PmM6D`%yjFMiV|HG7R;LiMv_2bH8Gf5a zmJo7X{p=Y)QBeY}m%@HV+#NnliHlZi?r-P|0S22K;z5KI)1BE#BGNlkR#DLl=(;{v znliAKP*Xk-4AHmWlwF0$Ytt-50@VaCr-T9cYjlO=bNe8HobvEESPRqOi4O7sA{_R@ zMl;cRJSEd%1f>AI<`U=`OJz+n`oY5sa*qcGKb}lE4~z}aoWQ+QendKS(ws=1^xC=P z`5pTWW^ZIXc(1C(sEOZj?90x>)C2o${HU7%q1VwLSJ+#+^RoXr8$xtO|DN0rYvF*K}is|9Hfg6pA9)-s*6 z>Otu2)X(2aM7v6u^HCgdgS+zX1i3NKfovXzpoB95j~}RpNjZ}F;`#HFWu4ES>3MS1 zbgDg){3K^s4#MJNFPAh8QNs?uT=Ewy{*Qb__w)(goR;SDvE@GK629QUmq5_&Lw8C` zL+~1;KSHH@nF52YC1J=!tiBKv1HHxKrNpvjat`H3$^@AfcMOe;FwdQjAHNeuIbq5cy1pKtKK6VS zQRE^oUbSjR@c6MxZwjRtd~=J+0L&8`XL-%J{=+!68~$*NUxDKh<*2v9I+euBMdT1iv#pQpEtQlrRC0 zgHdA!*BQ7=?m2z>G~mSo(bYj0WIE@n(~_J#8di7U^_QSb1@?q2`ODhfjkAaEJN?`g zhEgv~g4Ou~h=DW#YH}rr(G!y+@Ub`4I>Q;ktyI_0h>3=KB;Xwrj;ELt{NptVX@x16 zVQw8a5sbfM=bxxsXF)mwp((wM46sfU006GbLP0@cRm(Tu>a(R*Pljqd=Mzhim$a4VCM&1U=dJc|PBW@e{cx-`}$D166sgbCIxu^8u}CjdgzN72$r}cos8hRnjBV25i|i*U}CX{QjqXt#^Dbo zW)FQX2jxSo-Sdlz}AZkXdCDwOn!E!P`%0s zv$DFD5e9iFLvYn>7ZcixNudBSxS4zJP)-wK(ZmriV6hA#BFlr7!>U2ArK$x%V|CpsF6#h{op<=SOS>VknlFQkm2 z_<~AcYU+l{(n=?yUO?faMJE^LNfH%#0QsIB1`QmyGTR=W_ARhEH&i%DK8LctZQC|| z;W5ltA~Y>jv?~S|v9csM0ZzL8&}HqMg!&{XrPngkg^c&NrJC5!_N5;ju<_? zpPa(LULko!cf&qGpp}B_UZrES9BqNgxf?wA$a7(JzPwc>8vf@%3Mll5z$qK%XY;!3}HH93{NPe6N;!yWGh{ z1v{r7HN%3b{C_}V!czlTF{62UY6_hX%1+Nv<7KesQ1KlOaSLLWo5+Vd5;A;;4m``W zFdB`fed@-ElNt-1VHZnh61B`m;ao9NLf+?YZkvwQ4W&f^Bc71gDM2xcHaG(eO^*)<~%rh^nYZ|E*L$5UGsW-PF_s=cWV6!2v-7-mW!Ss1|R^0?35e zBeitt`|j>rae46mv-3fn70YM7@7mN-=x!YpGy_lbvIzt~ngFt~J7O@Oz<~vVIoAqm z6yRQr2^`Ur=vAKCDa7hP8AO#N7w&kftK9Ai9XMP^M`y{BCCes6#H5!oAX&6yK@nPG zIW^VR4@?8`(sChr^vUNaGS*KRLJ-hPv?u~JH!nwz5hfHC4??@^qfU@>0qm*PwM4rW zjSH+O(F4dQ27rh0f_m1CxHg0m@Vvf(I_IAUVj|(AMq_*MVl|dR;ZQ z^!&%6ArRu_69hzNz$ny66i+I`Gr}N6dwbt2XFrCsam(w>xs0zzLd7>a+S0sF?nh$F2vN)H99Q)ua z^$$sborfQJ-=cK3x7%7023u%_rV@vZ>zd{5_M=NBW>k@g(c`hY+yRVY$?H$GOJLX~ zy(kA4!>a#x+LC(^{_3gYXfex(K=^m9zJ4niM#Bb58F~R9L0u#oy3k7!M-CoO9kzWp zFhJPxPHq*zu|3?Hzn4TmGwo^4hjn)rs2ui${naCHA6u}T@JCsMSQ6O{PQA;UGW%sH z1Gf;da^k(=Ev`-`*(#S(g<%y+J;XFXWb{JsfR`(RFlzinTM!C@wJ{3nsB}TL+^|7U zneNr4o6SJFLwOvn5QtO6?1d9C4$TJ~7;9i1Sw#pO0Il^i9a$+UY;0>kl&kR4lQ&z@r%X22o zZVPDAnD0CMw#vzUSpPfy4K!cE%HPG!vn|Rs%IQZ6DI7jdG(QNT{EtCnYi_2;$4iJM z;sCmrIR6a`kb=?o$8aA2p(OZ`zc7{;HQkHMC@@shj_xHpbJAEQLu%Yov zFq*gDTYfd6XO#tti0W_DmdVKEv3Cbp-)67+vO+0bOve7mk-K@s5`|E3+utf9C&wkF z<%?{_$%crE(e4VZxAWMJ#*@C+HvOGg0Deed{Wcwm!v_wG@8Dg91l`=#<*<>+w$Mky zBO+i5$^1a5ik$J@UFR0ShLrJvP@>Gpe9N*4R8ZaRZXg}A?0G0tltOTe?uJIRGF&-i z#@mGB&uT(c3S`#EpbAq~Mp9R|Ql_IKImiW_BqCjcIF;F$N#p(a<+qgS;hg07T%lCp z+q(Mtbteb!zmSH`b@O5voE4C{8sSH%oV7i8Pz^G~pnMPjaz#bO!8nNfM1NFX2+A!e zB<|U>r?{lVU7M%RAtVU2?H#BcLB}fOS7sv7TuAF9GCU+>tFo|t`+jdLbZ4;UINPN@ z^jo|{X@$*0gg{eaYFHT<0}J|YVflF^;ZZbeC4Lx1pV1y?=i9;IDZl^zI}}^?#KX+Y zm&-yW2#s_^bhYNM{)-UV`)U#cVavOGWJIM_XFZdQh2u^JtZ6P5V1$x2ypn^bY$2Ux z>V}%4UFhkLU&8-`*w<(VnA*gKFNGH7TAN%3Rq67nWRNEF3Go;gI5DxBtna2IC+GU- z!+q~&mxB6cXFB~GLlcwbc0{YrhAb-dm1w4-O~F1E+Y>0E5iMEOl# z$y+r)wy%^~7d8PyCp60!8*0u31?^Lu!kf^>nd+nqqer^e@IA+h;>L;{&;oOU^DmX3 zmk$1L2|9YM4nHRB+uz6)ROi2^-~7oYtrJ;0d|;RIwzX}C-NNfp_X1@2N-6}20CO^p z2epXTPZk~~fz&FVbOjwoqhE8g@aZ`b{Ys?LGl(MS0wt^gEF|Pc79>Gi)+STM9=FI~ESy4R4+ zgPx+t3Z5BtBp_%JbnPL;tEF~7#>Y3~w&zL;nAv%Hv;BrbCUX94n|ofSgBR}g2@(Mj z@{iYM^`lke(Xp3txYlibaA~hE?!@#nB|1SWNker#7b-*~QHqRPTHj(@nxR{3`n&q%m(7m3M_$#1#V?9<& zNt?(c(~rkP33m_t^ItFBw7JhZ&z_I@5wpO;oQ&cJ%5kc7cRWNy23zI%YZ~k8X_5hc zevOp-u(lFzyoftj(0z)IIoKL1e*3L@)O(|>Z1xCmn@qP}O$e4gE#%m-50Docg@yqE zQ{b0rUgRU3celz@Q4C!oe+jWaBL$amoykK(O3P#4J13N`ihfS3y@uML*`Y(%x$@rN ziBg`pZcqoyJjGCZ)$ThyDsSz9D*&w^nKPr^=}g%zTMXR!hz9|g{9r(=GLZSc!T#`7 zp5OJ(vRQWuW$Kz!0HcF~t{+!6VVrlAL=iFs%Wu*o&Gqv2>ziv5nT`eQinmP;0rigW zAV1nYI2QE>=79M*0ZX#RL*+jwcAqRH>Mx&)C+5PjZX?9Xq!E6jNwbd~CDsl?pw26T zrEs%BC2(V+IJ?KM%;=ijOY9y{i@JL@y1b-d40H+uNVj~6PBslN%cud40Q!Au1#3-1;i$CP_2D z(sW;$Ca9w8ny4%+O2AoG!x|AXUGE8DP)F)tPbdXD??o z^RLAzxZ2ruEH%?v%il&5D_#c!SGx8>5Kf}-A*=$T1an+kcgM4CqhAjN-Mp>R_8J;R zu-+2J2R!&l%~_c#TrL+`18cMGp{q_JZ;Qk9;T21ktRs4=Z=4JTa!{y(qFRca);CD4 zzOEcDze?HZr_F@7A@L;NBMAa-Q)%m*!npj-feNJ`&z;j}GwAMv38`Ww!xi38delR& z!?Ao~&i>^1WY6E&Zue=gktf*>&96-z8bn1!vA&rcFiosj^tM3$3_CV?ar??IXehj{NqIgfZlF@vPRX;gC ze&8kArjNV0WNM5I5D&@Kt3RUF5_J7TZ?Az^5j@L?msdkD!C_NF9)NTH;5cR~@;EcX z5l9C8btlMvtfnFK10GmNAN}oHhmf(KDL&Yy1Z`uHkzZBvu&)VB%Gvfpph8+qC>DVj zY8d3zQVKb89x5~RxIrvaQgxYace0jWZ7_?nj1i{Z2pD*_vi6flUM2I+9-x^?T|UshoE*P(W2 zNiQ$AFA$<2nd9}1>cZQAcC-i|;AR^$(~bztBI1Eu%Oz)KXYZg2N(aoYz>mok-inZh zx*5-v|D{u|L&JJ0R+BKnY_jbOGs!3tu({aYVcF16D27Rq!;X+p-!}4W^v4)~;X7a7{?6nNx)Eb_MIWa5+o-Eelln_*XG{BYwjVyc^%BfA zsHMdzbOYlPE-%AlkXq4o^77b$QW;nfX22(nSgqxuXJDES#tgQT`SHikOcI4~N7=#8Pl2YFgY7eUPkw%NsMD?X)|!!q5IkQ{{8!q7V5_=uRYHm84o}Zl+xVQ`2NL( zRkAie!XJ3W5=G#V870@5rx?j=8G&BgN7i|0iePoK&Y{s|nBZoi$(PI}C6kyL3)T6d-;z^il zU8i7|lA1h0N4weaX|iyFyy^}a)d{7L?uGXX&&Qt^X zSY=nw|L(Et1NXI0x@m!p)m<*VFCn+S}SD)m$KS zgSq5UN{fmDA*E4xu+?IBnRMwcWM*WitQW#pblxi{IQmA|3Pcm`TBlJInTBGh#4UhS<6#Lx9d^56FTfU0g0{2KS>28h!*@p;TK=sh05ER>K_r%n+8gon@N@%aD{{;RDvT?Uw! zS5kW8bU)*ZuF~NAyLXMdx~=T(b?vn z2F#G9)ji*4NS2m=( zN?0LA-kf}j+fr54p_V2-wA^idX<6AKwGM)zO1+((9K2m9fC@nxd$yDrZ%p~_ivNhsfy7H93xZ4)6QiAf;LeI%g7k~P2t5EgeQImVu%jb^y@PtK(E!AED?e1xhfdsRCGYxdEI3e>h8Z>Gb572SgXxGg$1 zCZ=JI{6+Unk8~+U6ZWAnKFcBdMRQ~0zWDE?r0n49kmP~YM^3e4m#%w+r)CBW6by1d zDePI~VsJ!>oInr+nUK*R()st$H``%+?15#a$KWJ`Fq6calvPVhZe%7?VFRPF_vq`ZsjD+f%F#&!0B;#9gmfxtER5Y|otq(ID|Zd{ivFbG-QRz& zH@3(2l!$ZzjkV3cmNZT5m{4W}^MpI8o<(%T)E(8vRCTNfA8cPVqIrn1_Ig-crwp zQE)T(@f~L@T>UX<{5CQH#Ssw!T-T?fABCc&`*w_U-~Ad5u^O0Yi~O7RrKP7w_W(vN zIw(9l|8oGS_ocIUyt>M1Gcf3DLi4_?>n?NVqjC=44~3a8YtiEXtB!`L3bq$gIr?PY zxkeQ%v?h z{p82^r@fc{eLQqCE{5S6`*Cp?Yohp3WRH|+1jQSG1+$d#9*O0y6`~k=2w;!4X9vMu z3gabv2HuSh>~p~!^YHLM>c>5~pA9=CVQI_|5|HRA*eC6Snai^CFTgQiT3n(E#QoIz1X@zA{| znh{h})7M0!7N79VGTyhRlro#$vHZa0Eo)J~LNi4lN>(G@GtE?fGhw(>euP;7v1K`X zuivACmX;YB7E5gpKQ4JWuQ8AELV>z}|1V8ktd^`Z0h~cm%hewXMD6Q8-~wqgMDu4% zwQGJ8n>kGQ;zXv--8zv&R#Li$%I)N}c648WObBG*eaC})?M+Kd#une5JD)%RK$vEC zd}bPY$p3B_n+&=l!5G08E0l&?YqyjDgIHjXieTN|eJnKXUY-&{9i>S)Uqa6!G-8v` z<=`asTz?r)ZONWHA#5MPROH2r*K{>aW`ehD*`hjMYE$U_K}&oJCiQ((6dJyHG6-`F zp%LE}+q3#_+MRM|^~wAlsslSWDlD;?fWf z4wno8cve)x4H&8m$;3vFBA()*W5iBl#SU2icr0AfHAUa@y#17VP9hnCi~9tbJFq^7 z4Tk8JLzb1@YZ(j@SlFcE_}dpb{8G}`o@|E?F!Z2^4Ecff0YxyCM#mFy9*9XuHQZ*n z25P*He0$%=%0eL8Wge_I`Toy*t@L_}732v3+O44KXP9KFdOB?o`z#*Fpp@t1He zNNjFp0Z=Tf+`DJb$sAc#)yA_C^jp$RHmqP6$WZ!Y*J!Y&jO(&0tjJy}X`jz*`b z1dYBkE&P94JNvkr@Bjbr^RW;1-KNP^GTCQ_!bB)V&PL6IaunGi(Tpyn5OGxJvyXj- zLPmtBIW9^h#89eD(y&VDf-aG(POEfrsMERl-d|_m@Ar4{$M<{t-pn7nZK$2jdA(oH z=ksy(tl?G|hIlc)Nn_z92E<)a4WFyGROisXq3oGpk? zO3LX+{0~1nF#9AYxjupPjf43sa>XMOXBU(_B53vM{jajSwWwl$p4$Qp(O5ofT-N#X z(u)r&Os0o#t#tb(a{l_?&$ZHftywefdVVP+L?mC-fAH|){NavaIPw^c>N(X`Stm~9 zJ__FU_{8&l?dR5#Ob~jdw5%-hY--4PKwYKw@}rr7+qNFz^YXp>tqYUJ@@n>IaOHzS)&Oq-PS%GVQR3m6O@IffW43)62^%aCh7&q+2p;_gpQ7lV{TjbeD~cxxd;fI8g%=1@BZ2O^E_VIK-J5EW0$@);AwvqVIr17 z9w>V~o#dDSxg8w|3AFBSro^%e9oqL%@TB7kQ&`E=ctk!?j}c!XRi-63jyWQpK+oAg z^1j$lcR(MC9elMx|zuxw%uP zK~tVBylc-nDP`fuJNTL9@{!%WGv%eU+)PT*x)6Y?u$J@vSa3q64GcHWl3^ zw=3k3DrY*j=p^U5S$ws4?&jf>Cs#iD z4UxjdS0n7~JUt50eA#bXof2BJX-2KS9+fT1V4t=1i_Uux-{N~7|48G{i81^3Sv@Pf zbEnTY1-EY(%O@cqGxHyjc;W;f-r>oiXOr|M67Ad=QS@Y8h|yeAbSDrjWhU?bu+OvOC6|OiGJfQNzH?zQ6v$Rc3P0EK11`sc<#bTOz_Wb$eARW5X z4;Q>RM}HUfSh#emy<;W~<-4SI94ibInKenm`%>td`7amqThk79Y8EmBGO;Uw8TxhZ^Z_+$tOHl=^ z04OE2CrkG%c#_jEs6Xe`Cg469yl^dW4?>W`En~}%c+1z&7CWm;@EVttBn@G76u*=? zjR2&o&J((rR|vqT^;M`<^QB@XWeLw_9(q2J^$_nw`UTPBX({|NCy8ALY=A&WBAWSX+j{NX_OUF}UqV9_-y zyMoZR&~NdsAp)_|FW54fx|Z&q;;B)`w+HV9g#D(E`H;K^pAyd_gcjG-%$)Y?b?MGu zd|{p}QAuuJMh7?ELq}njwS_iTTxwh8n)cwg{D#F_XC}&mfDDeCP}+r>a*l6U*qd{k zUoy&VZmP1EhM`!@>flhs<)2L5&YeIuKqc4;-d6~6Sthj@e^)9A{KO-C0BxfS#DDw zB?_MUIk*&ajmTMU0g$y@T{X9Gh`G5rNuS9`eQuPOdk(w*D3~nMakLXC#)pZ{7LQNn z0Wb>ikVsAH`gP`?W;f-y$PB3RP7L8GElOMI7C!3(HPY+FA?v(I!U}K%vEy~AT13h( z-MS{fSctOn{4b5Hsc&Rtcgp9h-Ndtza~0&1)S?2nlMCXiaYA+nj=x*~^S9k(n_oa4 zjNKy=(!7GmGbz)cn6doSkN5|T>L5gW(g9d~sUA&6X!7MpfSM^?l)S|rg-DBbu4~)B zZ=YYF2)j&*7h)?tVh*XE1Y)TkLE!YkKk*Q!H^&0m3|yHBxUGC_R4H2&jryhs@mt$e zGhJObsB*57v%IT$-0A!Rx6aG|C@X)^YxmRxJ5L&iGMuA`5q5<4d^o1<$zC@o`Clff zzwB}EzyY&r_sMZjn(kS3zX!aU(g`#C-lZk#A(wW})R=AN3%#*Y3n4MV!$9X7n4}+-Wzc%U3aL7&-5=+R7&o;RNLBd+ z%|x%NkNKza862wvR*b-kPh`#93(V?9F{Q|*jZvUSl$jKwh~wJB@z&I)1@S2Q`=+ZG z{!Dre1s4wzsY)l&u;(MVf69}AC&Ck>I&_(U^^e~6fo5Z1_~AvxyutCTrjNE_^U}t zzb>~K_Q@y65|i_gxmi8qkj&lpK zw%sZbGwSaBe|JGK7BQ~`O!%2&8OI4QODaF6 z{>9Jc;M#TToOK7MhC8JGn*EWrwOdIcb5@Faf}P#z0r#q^M!PgYao)A!PXg8f;$AGv zCO9iajq@ZRh5n#aDepge;YYU#74wnmnclazM%5I~8Get1;t#*rbMT;5ayB!~qu*ee zFV$E(`2SS#`}ZAI-YrqLDu>(J{=}`y1u~A^4Nme6G%@3Yt40dZECh*@F452RhVS!k z`PZV}x0rHZxb~m)Y%bY0Kl<&qAyS6psobdk;ry04YeEU0aF347iaC(KLK>m95w%cq zLh|%s!Je#+Z&%n{3GiWNZedWG@cuk)q1zibd@(e9!c%FoIv@aeHC8Ut%`6pj=H!D# zl-4zHheg2vpRuf2eOb7Cpj2q=q}wF~^803jpLU=mR0o=8RF8?Y9y6vaeLMQpmjJEr zp?w~Qx_54XBU53KJX`zJT5)wluLn`KvdtTRQU*(R%EjKKI=;yMA z3_>iWj)?jDJQawrr2z=);#tqvIX)NwWevpt+m_@cUAQpMBYQ&jE(=-UE7unHEZ|wo zEI}4`pl3Am&*T;;KV*#ExRy4HwE>3&?<8vzx)P@D(pV9V+II*sOxFh&W6tCMkK4xH zPlpO5U9KKk-h1w&#>T+!Y^o+tPlawd5p-X4Il{PrVae#oQ{3_|0k#ZSEEYeDhuzV(94|%yRT0{{J=Ts2vu#u`4&w1FeaM5NHl8Elvc^pi% zFX9kYCqYEZF3FsSb#`?DRFCQ|qPBrpRcfPEJ8Oxf*vlbC$aeXu=T!cS?R(S+X%zrDqL}qMI>~}Nv^q$sRp!FPqHoJ0urPdlET$us)yR>>=}Y{y{1CkNv?sp1 zb8ZN!fPq^$k={9c>mz7N;uT6?PY2rl`*3&4{gr!XnUCM8eFrhanNtZkDQrqyI6UtkuFUY<;)=suY$^FPhlErL z7Eld>P(wBRBKG!Ga6l*|@CRg@11&BQ+>F^sL zlB}6rxvXd6pzglc6={urV$;tX?fd!Y$yuxBSnr5a7GYePy~1vwx)q9ykEwWigqVX8 z>uIsrt}+dToDw!UfVx@WW1>J{I7v%Qt%neCeTy1Jpag}1ZE>fRaEh=b8;^QdDL4oH?z&pm{$ z*wO%Peeo5w#@;nk@vJbxTGq@re{a44Yk-p)!@#{$sj(nsA@k&Ds*VKgWZ1G&+@@n+ z?eA~S0u`SyC#Sb-ch*j0%Z`nQqgWi{p)+8Cor;>Ru4M1--5*5~;caL4LmD0gUw{9| zsHkK8ejYqx@CrbT3B*YzE*k!)S$o{qmdCuNwtAYZUbRZgt8i)&S_WTVUj%a=kNk;wj62{XiuBb$}^h6-_D^h*n~}d?Yr#($e{P z>X8UK*rYbVj)7AUL@~&6wlUO0L`vY$!8QKGl6 zmLLIE<K?GX{pfv%M0Bnudv>0VWI$pckm>qXj{`s~8<(>#nepHA#f7pIQCkd}7o zl>y^_afN~4gKa8%d3%zj0zY$^o}(D0q9Q4^4)WEP9=uOUzBu4WK7OP3=SOQow;s7i zALHDD5ViW;vToryfgcPUXk|Q1b29#Amr=AFXZ2%1zN;@>8AE>^c<0%lCje>ceyYwh zTeD9ta6EdF|_n zo;`bRY%iM8Z;OZ_^Y#|{d^7Kb3oR>5Xx?qPnMBL)-1WRrp>M;OT2jZ%DgwUf#;uEf_mG#L-vZZ+u08l#TAcuLCn9*mP9XEO0ta zeuS#TO8ul(VbJl_XmNW@S?tsTnrK=bjZ5>M=3HBAtLf8P^wx~>C3Vz#HF(DCOvB(w zzd1K}om=`jQ-4VtqN|N87oeqFx^$_q;nWGfi(y8s#YC0#U{zLIpQErMRgF-*Nh63` zmNi&eTHck<0rueSX23~4rDrC_j*yp^h=xg{5y2iQ>gUg%MXDHE(v26GQzuE4PMy3c zCvohUrXnLR)_5PP$$Pj1GDn?%Z0hw5zlq%Z)q385D3vgwLV5AHAMsa+^v?jv79oQL z5v}h0Hh;zQx3k{`K@_V(=+F+eMw?G`3D9M0N>h*5HoPUNueda7&Sx1&Oq%%{supgE z<9?xYWis+$(L;*Vy;$4@pnKN%;MmicVV#Xj23Mpkf z4B}$2T}cZ}LpwhehOTzG&8a+L36;%58c)iH(u|0V0tg266ObLH?j@==vhtGi7=2T^ zB#=Qk#3$K7A{}XWgTO)LQ~G)lC4-06xiowt|ExMoee8KyB~|9o||#?YVOUOO|{wH;}l$Wmf2_kP*efj`{-Fwx6q-K zKVIPJIqDh0*Q-Z+^-w4b_sOd5TE->%y|IcqsnNCuqyQ}nFVao>u;cDOwg>Opv7_(P z)H7#7(!0^zwYg7yX*iE63cXcPkCna6%|}KuCEiDt@&3GPbQ~e)K`De?%I8}9FZ~A$ z5XRLjS0?3(!Aq*Aox!j$Dq?Ve&B5>A8|agiZ;NA--&%LC+6tUfbj52_y~A}6^b3A- z)-L*QpuhiB9_ryeOu!Vl#H*L@(twt15fM)r7S`6Om;*<3XUT+6?JBiE#=<+`^Ad%a z{L%HlN%e3!yep%+H{U-`GdM_f3*+k|={QuY6}_Y zSMB2voF=4YOfMSSm1Ngj>iKFWdQI7=^o7bJWfs@~I_}@U&nTC4V^(wDjOwZU#_{9F z8AA7U7}6Qu}BQVFaX4fe0!r}cyxcM{)`ABhcGRdGbtIybkKGV*~fs69r8oPi0&AdFL zqH0^K$i?FgA#G5)LqR_7r~U67N!SR9GQHauw-#BBAMaigR{zTg9-jj-F~^sP!PvP| zXplOE==1iF{{2bj7^~LeY8_t^aUagaSAxd%kAAN;@%Zs=tpkYF4Otr+n;Aq<)Am*& zs(gajBIeqeGdub;58!Y6RZjt@lrbM${O6Zkz`t-UgzXfqe5?Y(5K|#veBpna8ARP9Hj*Z`k=zA@ zuU6*J>fRp_dK!hXRGj8Dk#-*Aj@+ebV$xMNe_xr|UOWo{)i_rjcv74l%&1`69CwYhRIz2<&l4 z1x$Cc>*Ao}xJ#o5WvfKQeVH6B&WL1z z%>+0K^Hgb?5!@p^U|TD+mMjLlZI4 z+dUeC<_Dz)tkV{3;BXX)Eqh0}*%m}>X4YkepIhUjX|$-qpp5D;K}fj71_O->S=NhEd>vH8(Q3peMi7PmCx zE;22Z`t7&h#@Ks0uSbs_0*k+y-FkbJ;Ov^m8_5-qEo9gXqZUpm@el%QffaxD$DJca z1{)8>vw|ZHWA}(GHXT2InM^1ZoYiDW-yn9SKWKD(0u@su}$T&?ef{`-nHY4$(20I*KNHY!-eieiJ z_U`?8p9oiW#A1MDvJaL$>gyz#FmQMKSP#S5^GDhjb*tL4Ld}`P716G)}%T{g!B!K<`~pXS&Tb0{VHN*PVZ@JJ@F=$;hJtBQMYk#-vyXIio8IVae4ziv}-1u?yidM5%1dk2n)CUvDlgn5wy0K z*5psTg)Tm9TF1J{mZ`y^2F&UcOY5FLM~mg47SvY0kf3t&$;EQP7NSgwhqX792Z1Mb zznTS^wO@aW0Z%OT%zcP_`V~{8>XtxD_UutwSf^hZzV{SvcWjhU4&(H8*`0HQ@;@xXR#jYV!Q4hNu8##M8$UmKcv zjz-Kmbes%tx;)DWaBD1X;36L0K}14uw0%V6h$&8)=HSf@DFUHy(oQcBT-pbvfb&kb zh#q=>Vo&yHvokIGb;&m(#85csW5j9>luqYz#x6*a4NDe7wNgv>qSW&JCwM5*Lz{u+ zC{IQ{*x0|3knpusNAD_Yo{{0T;iT2B#S*cT$&C@-NU^1^Z)2&qnd&8Z#X{Q)P&F|n zl;Mg-jmJDG9t<<86%p`f4G{-mIFkN2(_+48G%)3yxFq4{Lukq%U8ZSJshT>v@x!#a z>%Ay*^ZOE0F5<5?#OpcNU-ac3hqM+c?|q@FuM6Fm;}VBS$%@!_w2dn&udMlc>C%r< z{_&UGyu5qgRYw0=k(BOhLyOaaM}N)jvKOH@xom9m4saCdN+@VfScn`EqtYU!h05f8 z$-fj&W4}7E^0C0~YAv@rNFG<*Pl0hsLcT!+uwcyYMO-oHyO`iH)Ap+aS2?lh1s71l z1iw8#F9~vi&_5A>O(aLnrh&nECH5VeBFZ1>GN$4k&hfQtf^C;Zr;-3QI3A!w1~%3% zC+SpZ`J4ciTW|k7)9G^$&0eV0+u4NS)o)qQAScQ4*m@J-q9_$y_dS^# zX_QIvB6Gx6{VpMyN9}4hPR~rB1ue)}nD$_F#gq*hH1}|bF-Aj#mczrFO9r+3Z`Oma zG5lY&Sitf9zQV-VmT$~IGTGBZ#A;gJu08E(ouXq@NG#Liw~173LLN#E!9*BpY-}oF z02^HU_5T?TlpSc`QQwJR(1{kIW%xYDXo|0&Vr9ahN7`d=na ztvY-pO|nC5p^5b7`=u&$0dy-GjZ5~h3DX7{llhkReDhfrVe#iGadfVlUA`^CA6mLz zH7nWJu+5kz2aglCvoIv(JSSi)0z!V8aOy}dX7>RKW< zQ%)I*J3vlZmYOsm0g8geKO#8IM9?YQ*;SQ6wCN#}K2+*yTPMJ)4ZDDQHN=c{S=(2i z?G>!jqE6N`P?XdmDCJ{Fz1DggL1al=s#k`H)bOmDGJLNe35_6m3knTxhITi4>IKoY zX)B|X3~XsDCOic!Kxvj8P(G%9SQc4p+^mUaKuFiI=D0g{3I```frW_djf^A=%!$Wp z)v7Z-TG5qqC&nwFk6rC=pxNBoefHMNa|LJHDU!vWM(^CYK4dtjqByM%RNTf@ry43F zG&j=@)$t^C)XAH@&Q&(b8ba6i)82ieQfWw&3n%V6@)mvA7}+XnL^nwgH=8oTRYagV zioPzrlep*M$t%G&Ty?>R$1eNli{OIae(U>`VDt~v<0nm8*!=T~OEv1(XG&K*Pt<12 z#a>~#q&9T#%?ZSbNVT9_7l5PcN+iB_KavW6$7?`ZvqU|-VPcKZ)Bh0dRBO}+6(_U=7bsPs1{6^oU zE%P%#4l*sHmu@AZVmxKm|l; zQ4twYL^?zJD)sF~nqNXXn|^bKmP;Yu!(zv7yeA zAJ_jlZ{EBmx`(um%$xV!dE$5Bw|GXl_Ry_)^S=4k>8P%=uI|ox3-KI|{O0?4-{8^t z@9^-S9)J7Ick}SnymRLm{wCm8 z9*52#<&}|Lw1iu7U9;d1*OWX$2L$UshgGO;$-wR(_M* zZnfPCY6`0JzMZ%5>K|7`oMlt;xAVmCw~hD*e&n3&6&)Sq9HkVM98{zfot%`U?Btal zrIh59WS#7tRqP#k`|&y{pLaKPBq!_98qyx@fJ%Ot(By=z}nZ~VevP*bzn zVNJ@;{=3rVyVP_qo(wo#r?~p|+N;;LJe~ewcG)kv_ZJrasJ8Hz_}_JwEokB-@2eFn ztq7eg>J$0;HT<6JIoi?r)iGsO`Su$cVlLJg9aNle*J84l@*8_Bk=!Z78|f(zu8Z`f z+g3WKR|KT&Nc1!HmS{UPy`{@$!>dnOXAk5)5i1pnYuoHC@Mz=NNWOM)S3qIlgiq=Q z{_tMbrPGOChLH>VPoBE;LR0c~*2fV4$Z`!;`;WBqw+(l0i8Wqodw8*qel24>@~vQV zSpVeAV1l+uJHmy(pEqVRXd%G`3RqoIFp;KA*L_~{ayWeQjZwVhS z?DH~zuXwzn_fSg%)k{eG?X_d}>@}h^gXyD56wIn6!ERxt2y|1N!vO4*gHuF zd-=`{{~l7XubqR3lm8}rCl@zwjV(h(j4hko95uFB?lzD$@IBz<>UM~H+R2n`Xy!on za8PyJLel(kPp}$J;N|3Rw<*}m)7wuiSYylFdDZZkcv@!5rny7>Jv6o)#RNIvbJ}T> zqO_v4tdw@JTcG?F%^x@IIqm4Ic0}vopQpgTG`6_<`}?ZN$OHuiNe3xN`kyBMw zm64T~k(Zak5mJ63-u`yMQr>=BiBtS>4lO4?htqDp{%$_rn}~DT+4}_eYi!wq*Ejv` z`n-G%4E}z4Z@)iB0plSPZ09Q@CoL=E>>H=M_Lx4na`tjcaFCpkw&DMbf4RVh0sCs`>~1r-&0dwG@JO3IG^bPA)> zZkUyJp8tGR#Hk!{Dp@;uIXhWp1t}#J6`V>{RzXTdK|xMRPS(LmNl8&rR#91D?o^Hr zY6pEzd)eW3x_Q~TILY{WyUe{n47l1pV_l6c^3t;Zc*fY%&fght(Ac8y<{c3Hj~C3` zyqrw^?TFEoQ*KZebu_VfHtoUjxaEi3{P6i9b5H%TqD-Am{qe6q{^{v9x0E(*np+fVb`F1h z1wXq$r$25M&h^Jj4z70IE>4IZe@@rGJ@59vO$8NMC3_VGRVg_qW#azrc9gQ;t)haj zqu}VMtm0@Vw_AB`6#jm8KOblRAiL8}`&=-N7%NQAxzw|1``nG%@js6aa&;o^0tQS< zR!K@${?7qZl>2kQWd8iZGDOVy+c(}L^DkqvXYPQ13Nm=#AI~9pAr{K~JsAEuX1Lz} zKY#wb7yo~L#HLOE_aXn*`2OE;{oio?TO;sq9sGZ@>;H!9-x`5`>)`*JU4Pkd{rHb^ z%E=ojC3^y*(kNh>7xe zp03tDv*3?kTHS)p8`kl;v6n+s*1g$t`SLRPd3NW{uG`YQf_`P+PWzwjx4Q4!cg?-# zxVhP?=x^!v`_kz@Mg4U0n|&|#?%nj;$(t{isYE91-M?w&qFe9BUh;by`uKU8EW=}u z1*a)C?D81(Nt@8Y{2{+f0aN|4)dskl=Yzc`cRV?G@a)57_}9~mQF@0r9{T|g*M4(m z2k}RrDE#M};(xL?3Fbf`75_UaJ9h~2+VhhHmofL+PcH}>;g8qm-u%aFb8r6RwYfLX z`wve%^-RSrQ{BJcSZMM_`!PT_Sav3_~D0)vtCNAHTQM4Zr%Fbx8JT}4YfTp z?W|Ix@@DHZOdH1X^YdNaCk)hQ#70C!Ea${=#_NpM$k;qcj5&XP>i08(^c@RIw{uX=3*R)rW{++sZVFO=iF3`ubSVMuwdy1WBrM*?XB6O zuOnAVxYKhqYundFG$iZBe*KA6UVR~H^sl_h^d85v;(PY&3H;jD5-3!Xk+DNV09nd0m~U|4q;KLi0SHot+(xC#$?oOZvA*i8K9_elZ@goGFx8m1~a z^nbXg?A>-!mP_J{57Y&I<#v>W2Jj=lTd*`eq9R6A#){uv5fjbSvtF<0dbwuefMm91 z(##Npw0ZNs@W`;RuqWQ_nK`1lEyt~`Js1&Z@=DK~Im0>0?C+oYl3N|ftk)gMF*7&M zx6joj38ya>5D5ExMW--uFjLcdRzT1abI@L1Qc};Kx_I$oZLWU2l7ShuvoxH>DT@$P zuJ4^38(Y~!o!aD>J{H^cYAWIAx6eywIZcfBm6h^_q~*((TV$DQh^|@V(!}b_K2dbz zh7f!BtqjAHu|{~q2G1sLcO$d4VCdd~h@%T!%c%}T$oTKW!gFcW7Kb{^9Gi`5{^_SU zZcW+kU1bp$>x?3nZp7H9CU!pYvTn*g(J;1AJ#bY6$*=dq8^@@a7|VA#R{4kPt1-8B zN=i1cjBd)>eQkTjWTzQojxo*HvskFsW@g(8oz|^ew|I?oeV(Y$uA>i6zW6qL#%p@C z$7(XyRpF+7s!ZwBmbn=5`t?D!uc>KlQBmljL+1+$3hYZ)>y5`yXAg|*932}=)4xTt znQnXLXXTU4U@-b+Ll6pth}h6s7?4#|RK)4>9jFyE;THuB3H3xQ5f(4(=y@9#J<)el z&Y`y|J}r^T8AvPeYE4aK^d*LBabrX@KH5J@@54e+#ypz2lU^7!)X~=FnLxqHTDNT3 z^OGEf>90jY7wYug-81hArRl{<(`K>2wOB1#mNGR-mnT-PSWz1_lf^R<*S~o;K!eNW zYM&Y4PIh+Et(6CCYnm7}%%;Z1L=x4;mK(iB#=_j(ZKro`3zNl?IsWu+MrmAJQ-Z3W zTHu%T;59pU?$lyeIp^L}GV=9(xSiVldI^1Kv5}Ecdy}L)1ry)OHnpXtg{HS~;lgE0 zQiJ9lSRxS^l{EUZ^#h$45!!4Hg`Gv>jl?_e^p8fd=n}5bjPwQc-7zd3$H$Q^_6nk1(au z)3;y8OsY%Ki>n`tld&~4GP3kZeemF2dAZp3?Y~u38Hm|hT1r^Gd--zznl*7BJ{Y^W zxLlvDidUAgE!`j_)cg5!aC&ZNfBiM8D`c!Ue5xyg zSx!PqBIbX`@z^(tJl@cE|AKl}B)ACUaYVtJ%fR`m`I<*@Cp+4vY6 zU+!N~TwLrgY9Xshsf;*!_;A!c4kio#!Li(@GEcw5733}~Fb)eV?)P05eqzag2}!OI zipC#UW|*pSG>U#@`R0Ps>@#P`&1GfxkykXRY-Ypr=X<+%*}JHcm#b$#1N;N`pLZtoyaKz$mYUayc$;&B~Sc zug>=0k8ysVu!Bw={j4i0Dti61wNDBAqeo7LWnf^Sx3~AwrAsZ|Sz1_hJUw-wK5Xya z=a~FyZextmN=d{Fp^^>4>(^^>CkN_W%FZo`>OulY)C{*OnYy;a^oESBcS6~=ty_si zNxPGD<3?)YP)Etkm907#6cVn*#Vz>$`}95y4Gry?PUqbA(Zp!I!*_004eg;V$X^}O z&c*GF9wlvfMOUd&WDj+9ZFYa%)MPm>fiI}VMl{Rsuy3EyVO4SMgo-I#4x81~z<-nP z(WFJC(P;Zk$DDJg8!T;?EL><@yqH!{FQ`0;c_X7JNbCxB9VV2#Ka<*5x@Sb!RfyrWt#EEk=c@)cCV4NW5)mv$!C>W)Kf8i z(|JFA^Ihe#^#{4j;*aNdl;aj zuCA_O4BxA{G`xsRsY^8g96eGUvqANA)$QFJp*|Vv^jp7bjkLrZI^E0Da}_u8^XJbR zp%bo!whAuqkLSBzCzobsW~QWQYYgF)-+%voU?Afrb!MJJViOV`BnF*2b>-`V31FR{RiuB)qC8{3GBee*_Fth2t}%+z%26!T?GjdN~DXsEi{&hY4(4HwTRbhooW{SjjKvyhn&ik79utpsLu8Y*c(6>PxT>m($rhzdbs-K8gtl-;;}~s4 zK{;f~cz;d2lGl;ypn=+yyLb0$ken*7VIc|k8Qi&Y1&eGcJIuz$#>&d7b)DfJ%+>0g zD(9k}C2QiYsonZ=+4Wwl_5leIDVq zww;e3%hN>@fQ{?p%vgpi!?pM$<(qEr)}~CIH#av=$)Nc8jm31||Ku!0XN)^Pd-~Kh zJUD>y<=gMR(+*)*mys6!_~VKmZCjJ}Z`K-mFG2up*E2BSR{2oM)Y>wNOG@$^slzW8 zXftG++2xd+oMYPBI(xuA!3gi?=fRmm+Si`1|(@yq|VTY*j?%@|nr3ta@s` zbc4#K${_@nYg9gWGB-E3VazmD|5?abDw$V0^L3_)!AnW(%=d^(=MzBEvWG$*wRm2*PoHQuwyc@`ANj*wWuhUUm$SJoz$0|7p5Ot* z0u#+$yB=W1cc!V_uli0vqTmNoPv_65O}19*Xlt*_ef_ak>?Z$#R)v4M)E zGLx=ewNEdbo$gEOdsS2hgfV+fu+6@vriNCWmL?G$xEL|<;lig1T3TA?M~NCV3>av; z=<3x@>FiU!z9(bbLe}d4Y^_fYOiN9D>{@UcmF=H5W=Vs9chS?QDki0-X@;~gdwbgU z&U*(I9H1K^1-ESbuXvh2?pT6i13f$2La?c!VYjk!yuP@MjLh{g1A{6-e%Ypw*f*aC z2kCC7C|@d&U{OkI41N9Df$4XB7Ku7#vgyT(ec`9p3k$PYEGN;M8#b<%X>^p|t*EG| zq?Fl5oloN$+uF*sub^=Xb>o}3#d&#o=SNdgQb58mXQm_i^yGjZgU5Oe*kNvNZj#1%Q*OW+b^d;ffBZ2oP&0V= zBt71*y)fWl(J|azCbv3?WNWrZLP94`6BLF}gKeRIMmhz+^_~zFZ=~_+YHPLFf})zc zGLtS}-Xz?-OUQ)#(@*nExFCL7dHWx&vYy@{Y7gdWcB(t3VGKh|;{axb_uUCP>he23 zj=|ugKt8%4^vd#1G(=#dGF>*eizgSRrb<;&Nv*_0CGZ(1>Gc7!c* zho@3eVPPhiKI@Q>XE8A`pX{1zYqzu~St<9S#v+1jqK~WV2d?uKktYoe4a|7{>x;s~ z12%xkX7|$6)Pv-;QA_(qM^BrC1KnrJkYjnz0WT^lbV^EH7wgWr0W#&ZRDla^ZE06&MgwPG`-Y6{00$L$hnUn3$O&{|JD#lnloqC}Tu>4^$!z^*-@bjQbn-hF zm~)G6i3+Th-RocS^UptvKToeGmGVylQ)03^w13&JuYcjhq^O99bY&2;KEr?>Q=h~e zPm@Rt-migbBZuwu5kaZQ#wfSNGsa68AEBdD!Q;+k^$~0Z`^1S8+U$#gLfe3*M*-4l ztm~SsKV2c+MBOF1ZQI#^+~~4OL)!#W)WwUddk!2ppgoG6dOiU~l5HJ%!fEWNz#4MLNQMk<=B*LLv)kL-5A5Gx&r()aUa(++up<|xsx}Mn zmC3XPz-VqxPpq!4W`s>Y=5%#qri&=u(s#yfREkav!obVOC<%#*2-O9VC;K z6%|3&A2@I({b`G5V`0eqJL)d!<>PGjYBs~^ErKE#nFAWdpfhSql8FL$C=H;ZmJ`$- z5Le}Wajo2b|3_e8X`HWLzmgXyMVAMr;hLs*@P&MlKbKSXA31Whk%L_BZOXcJ^XB$S zjIW})y0r%CYaNqt6evIQPvv%{86;_jmq)GUERCH*utK{|-r>iC$`R_KR-7a+_Gi{d zYELZ!m@Bx{*cmDC8-l^Ln2Q$&8|m=~wCaXoVSC~?(EVnpip9C#FIW&QGI96rCKK-P zu&)XC$w5rfeEruQEYtGx%<36u&Kv+tu%AM;h)`{A8P`ih&~>z*4o ztzEay%|kDd%A2-G2!B1mXE)id*-i54*ki&)i1BFmd3!@@C0pUtC#|Klq$dP?W}D5< zP7GPlt(?*Xi^fe4dwM=d=bc+3Y;}rp`0!x}LLc+>%tGqZO{|*6&IoGCe(W{U*H?T` ziPsD-OrKsYX>p#30>*}A@7-B?g2j1SRHSE32AShErF_F)l7QD+wrtUwww?X729$`0 zI;$?SDE zjd%3YjcVsdp(T|JmChV3;7702^X*%-c=5`fl9Cej0A_t)qmJ6s-zTCXBO?(RH@F)< zc94>me($N2`<`#&@1M7QsJFK8wt z^>hl*(Ea=OSC@f9m>3>DkAV9wX-`P4rxNg9Rt_I2yCEJCINaFSn3%j^y$thI5NS>Y z1zF}0O!uF`up8Cg#j%I1j)a3*G8!#WQBhjlYuB$|kBiIlN&NKb6Iin7rCEZSQ+rEF z{WVfpeneSH0ak{1!{l0;nVshlRcCChDQ=IzW9oW>_QGl~v$V|WLzZkXa#nW+X!I_4 z{P?kje`0)m*3nM;M~8H5=uPn`D48y=&M&u`IhN~uF+J%`tVHXDZGeB14)TyYyN~-| zW#sX{eDUlaA7V1yn_Qd`@;K!HN#~>DtDJ?s?*y6qT525D*~#2ra#=}VE3UBW)I0;f-( z=J6&O!f8o!6&_IzgYI!j;59Ice)uX|8?naqOu~f^$OaMHhx+^1E?@qls;s&UbeZu? zReSr1Yk~p-ie`K!%j`jQ&lE1^fi*`0)D4-M+X+|&N6_{;L#8+NLn#KVT6Ka?vRe0$p z_XYBKh-P)%;%(yM>-)&2M~)`PwoX#*Ou!NbBZ%imlm^~5j^qcD7K@hX9 zL$M-&1V=#_=O~>~B(xc_&4nk^DajFMzOpeu_NXH`&gxWN@%ReLxiZss;4}zIrDdJ2 zGZHE)D!X?#sL13%GcA1jG`$J9A|fk`HE0`#rJ1^q75J0=2xgo~4{Q#Rw>uv@MW>fS zFHEP{*d#Wd(Ns_{t*<7QH`~o^;!6vShh?8Pk?UHsCH@Lb3%W9!0ai*%kyZ0}1ZQhQ zQdMoqCRP0}xJiO3f!Ca?8|l^(g&j}|*Jtvl$NHi<)o$V z{t-zC^_fM!0nLmvGCaJjq3KcY4g0LkrE=`y;q5XqYkIWV1ndqOh_>YxZTX$rgnI=# zD6&L=v%sj6xa9Iu5ylB(aqdOo7K zHg^c}Q*DYKa~ckZWAsMQhVF$7TJ-K)`ot=ojan^<8=KO>81I!n_IR73qFD(K>~cyq zqw8-p2Tbq9C6GCx)OLYjG=H zy*kg7v3{a&Munhgl@rua9C9!;7}~haOt_7f>76%@RzyN9jgF4?*XX3oc(I9)YBiK| z<7av^CQ8BH{rmUF7j}H}-Td>TP+9rBnW2ky{L7mUH0K3=1`lhb!M;Y;gtBJF2W*9q z;l4E*l7367QcQou(%3iG5)hz0n$uP-z-6uN@8n60U)-2V)$UdZS>&y9_aLMNR|iNHo&EXex!kgi|XymR)mvbt># z_2#huqg>~z)2B|Eq*bEN=(s)7WI zL_?DwvZ#3M8x;hd>gY!PbxWH?C~b2(kq2!`$QezY5ADvtJVBua0Kp-pv#fP!gheTZGFWF|mrTg|MKvp-vPC{_Q~7A8qdOxpwDPxahK62WmavX(4f zT=$Uy4FG~rMh>-RpWEIgOO`O#w1WTJ>8%v69qpEHMLkyr{^i4_h-#$YFXXZ0)YPc# zAl~dWje~PpHQ}_s4vl%=1C1Klh|B@QLUHkN*5_1*m}3NC%NKoBQPEUikHq_U6~6|0 zp4RlfGxPH^*y~h$?>2HEOxAHz>f?P%Gjb@$k8cpXQgTRN|3OAZWK4|94)4epXBM;u z@Vy3QeLMgd1V(x`1^wNH_n#W+=F;y^8mHaW<2YHi+?}$r#$r%drXeJQaXWQtgpfbj zgkB6YP$-+(1DfnAv9`3iH}%C$NMNoBYPY(trzesLxP8QfUptEn1y>6@S^CXRh$=9{ zkSSofAP_UTUph)!9py8czzD>7^IpArH9qcdV02@=7iN`bR6dW!9$~WwkqYc74VmT; zFgS)+aofpcGLo99SQ~LeI-=fd$9KBtQ+U&T%xR!#IO$XX%&@rY%CgvG%sbyN&2rtv z=Prqoq$~AACqN`8sRtQyWv_^6+ES)d#;;<2D9Fnzvd0F}k}L?!u8X=&PtR02(pU=*QmG>ImQ4`Bd zx_#Tdjv#bt6nO;&ZFbXxV_P#xA)}5aT(~%*m>7jt=jv30c;|F3gc=B7>=Qni?AqK_ zt5&(5pz7$T^EUqm!khK!3o1wtKCqioeVK~O`wa)$Z3o`kfBx-CAU7PEd=q?0Swp<} zU@BoCd*#X%FZVGRhnnCWg#PN$;o3o&8H5_!p9Lva)P#rSa17X*Y{QLM-&QHJ@)$AU z{sQyo#BaK$?VWtyB(sad;W)j$q04^-zY*xa?5mjYAy9}LB#~yd>lyXXp}}}Ij1l)O zodWYm<4j5@DGZ0uW>Si%ZVKvwUp{c#Fn^}Ai@qKa0Qvgp;X~t+U_`q)10caX%^3j2 zB_vqZ3E=z>@pTU#JV;c5K&|EQ0Gg2?NQ0UaYr*{b=!5%@dNeXBiuvK*nNObz>~$p! zZhwZG<*afeK#_L*G!#WznO)!eJ47*>E(T!{T*{7fkjA$Z64VArCrDd!cv287x`Ois z`zclq1L%d>R|dX4Gb^hhe$mpUA|y&NSrea}rzx!DsRFAaS#!^x<7QM)NJz{ywvnD5 zt061SehOZq5(pFNJVdjG>ed_v51!O*n>TkUk@^6%1_LD}C0DY)pbA^P`ud+W<$0#W zwr#E@9mU0a=#z@5Tb!$HsN8@W_WO8cBM*{-^E=u4v^SW+@R?>zlHBXJn{Xj)L^f7H zhB2ce4_XabLV4BVLRWeKqg)ALB_y9(upk0x0~NKT5S);T_0GV)m!hI}?%JjJTh~K^ zZQ~<|&^Uz8ivv#G#KeTjUL$3-EfaOuaTETT`Ab$bOtRSMjeq}Tb>4jFDl+=mDj4<di$%rA4TMy2oR$UE5Y!QC{vgn1+&uHVaJ`H!(Re==A9ozslGYPr=hwYp84u zqo1@*@mf*Q&VwS^2u3D^s$A={J%7EtO+Drl+tqxg>@h9A`gC z=fRwkYIw&z=u6&XUjq*Kp`jS~L3!JKNgZwWrOqERNAF zOh}6sEh5lu>df`q#80LVNq{h`4tH^wdOly_GXx~4AEN@EfL3q7DXW--JqSaqJ~!p| ziP@T)H$;h%`|m}(EGsj=DiqyQCP*^NIc{U)ovz#nYme46Z;v+wF;>+>|LZv4%17sGXB+U~Vq8m0mVE0G{biMq+gaR`LBnakAAKVBu4p_>u z@o}>pTMG+Ry#OI35(7A3M=zB>(-|5Z+{T-61XTTUas0uB3m57?R>NSW%}q{8Y5CFu zSe^Iv4G?oQ2lY3q7w934?18ptx#>yB=5h|Nn}=;*y?!0lSm%EIjvILCOAIUD)6BMK zV?gMuWC96kmIIJ+?xTQA$@tZKjSNfz08}FHQ$Ubtu~7#|WitE+judI?&vLobnxhi+ zjg1`>p}43~Q%&FKB^y+XuTcl{o1oo0G%lepTe~)R^z$1ykus=<*EGaLM=R8`k>2XE zMFZPxz)hcAej#SgK>zP>z5ly8G~=A#I&KBd#CWCd`) z2hIsZ;xf*kH-2OL)OVl%BfxH~yhHf&Eu8gZuqt9eWaF!LP7^M&)vMV^R|pMaaBN7H zFn}p!iidx(pBk$sk%EWsl1IE+pDe+(b05}nAGczT!R|9>067?X%UvTuaHHBb?#h9I z0YLw#F6EBk`%vl3NbvE)e9j$4<=PK6gWOS3k%lN97-%b1ZV^A9CIZ0a>7`3l+M%~^ z-P*x)fdMLzJK&Bo#cHStqMH_X*Ie~ND7_q3BYkCq=x+CG{=+L8<^*2~IOipNZC%|( zopEjZF}G3XTG|pk9-RwM>;V?q+jnllOdgvv4)td zSFhTHv(4X^P+jJx)x5R878EE)`z}Vh{?h8hSRJnMn%1R5!~&0;lGH?_Lx+|%5FWv# zkluBT)BKlzk#h`A>pu;S#b1%pvPDpn!c8Mli$jlc!HETd0y=T5>$Iu_0u zU$-atVJUmMT!wOmaFoGcb}5|)(|rmrxq!yQOx}Os!0NcXloT=OSMu_YA%^UnK6maM z1Q)h5(lmoR(R%adO~Q-|Ur%3WNZ-bRtxBlDK!;s-q)>RMgtpO>Vq?1rXpB-uhA?N_ zsKTEBzYfP_M@3;bI}l9%P*X|W_*$S?CLzXIxQ|J-32txT(-7; z;`xZh6%rPfEVRio4@|vP<=pLQnA`FoK#m$bk~KCwe8|X1X4fvW2Mj_aChR-ocd!BaHcf_Qy=~Q zxrp|`gHfX>wvii9?)+(sgjeNjOKwGVwUJzBu8YwDdY{H5ILB&{iR&fC{Osig%m2gv zp?`4_6@C7r^{K5x9KPof6gXLZ9v&VD7pp`>I>3xvpN00>5!}6m&B5xOQ@BJ`Pj3TK z(LmSFG`N|l8?JAziZQ!D?;r*lXiyQ+!QCubuXsp~4-j())loeoCZ-zA5D(T;;J<)R zL5q!`2pE}_Nd5AtqP`5Is;9gAk!p~_g|Mb-h%R5=)z_C+%0oE{q1-fw0eZi`-<3TJ z1UhFarvmwFE3@DgH9#*@HB?D6Gd^6EfJn^gn>W{DROL6Bv8}@J0xVpQIih-8ILXQbBWp z2xCWhpr)9kTty*rtX-RK)A{C&TMbQ{qeSSn?-MmZyrSPC3}(00WuoEZCWz|w(eMaQ zu$qiCux3mxEK(C=E?rWJuVS*GAl$rs`K}E~S-FWQ5vda`E*|dg7Zke0#Kq5@JqvAr zM=t`&Cbc~Q+ogBxMp6Aly%=Tncu!EXO*p$WHIbLO3K5@pNQt*G+q zXGAr~dFd2Fq${mQuolQqBtkU%ABdL;me|^iK~U*qDJnGXOp&QsC+e`_n$8!S;Y$X) z6;%!_HeLEzg6I!p^}c!kzVRcUuv<*zXzu6UCCpQ0(1HeN9KuJ+hW9EZfLq|xnH|7| z);7qQ&ZN^z2EU6>Y5piqsYF$n zs4}KLMWgp1?m_$sEWQF3FG675mP(^|r7GhH7ew1ZGIuq#yxgdpAxE^~{fBJSKaub! zq{p2X-38XxCjV?iv$HN-*lqo0l^sI9g%n^s&09cF<2OAvj}c;{VNCxm9W}0 zj7bE4UHA=Cq-+Y^L85O&*p;kN9>BCsJa z18s&4(5+iwj5Q#FIb$H$jkyjLG;3%X1|2_*mbQ7*=y(SbXQ&&%@IV=w*4e(kQ)86pIvcR87(pJBO+fHsxDB4E9Z5JeI=|{xyZr zptI8gV2Z0L7a>GBl9UuYqhJxNa+LS%nT1{0WXPrR+723L$BrE|)<#U`Mi%i+4AS6o zh~^B`+^+y?_neY}g-4s^mS6c^v1XOW5J1aUxQ)RcuK(Oy%5Jo#@y`76i$K1rD7k;L z2|ptvgT?{F);E)z^Z^qUGz+tcfvSQ=SxWfHhI)FyXk586GSTYO*|MNCh2UBFA;uo2 zP3k9~{{*fuYLvzyYPlXnBF`q4s_*Ymh|oJjSj|Gd4l68Nw5a9jDF;N$CACH<$CHyj zec{*@OqNx-;!8baps4e5fe9|`S-w8 zXd;#8QBl3P$ln53@wpt~-u%!G^|2`taK`~Y(a5n;T}e{%txClCeml8a`qdAqck+?ggr44m@z@;;YZpUfJ%=rA2)KqeCaQf$*Po34`y$M=($=R#&IXv2Jk9RAd`21pzvPiqfm*O1}KXZ>H|Ftw~)TBuE{(8*C58?B}>e6__%A5n#V{s zK8Fq+Lael>puY{SO2EA*t@H;E^jW)caeH84o}QkL;`WPt-+KGnwN=8rBG9Z+jf89Q z9FqZ44UI>b8Rxpn0!5@@1zR8zd=edmw}o;MU_JOm$xyfsL`qsdAGAp%=UATWmAQ4a zggrdLY+(JoK;%P{k(rrUJXtkSE#PpTCIFz-Oa>7^WmbWFd$Vxz;N)2mSVq_fR4E_f zlRf(V-UYB6EmfYC5fxY}vL`(ez+)7QGn-upQDQ*m^3$>5PNHr3FKA5$dw5<#f6Av zUd`Yzv$8DcN2*0td|@u6<8zoHFqGlWl*57AjsEA5@OXo~5Pk7Fba^FH?R($d!Xz-a z6^(t9{InB>W}uwU{r$~o2E0y)NkofcM+m-?tE(%Frb$UjpGa87_gznEP3M$ynDl}U ze41vMilSm3P&Wdy8mEOpWi-b6B3{zM;NN{R*^@-sk7%r_F|AauSnXm-|rT z^yfpcERYGmMy=la-+l`QfC<=BO#cnNm-`f}SFK(xwryK_U)-)^TdX#?@zE)VuXHE1 zY#(8*Zuf@C$f|lN^1TTOfOUBTY@*Pj4g=Lxt<5uBgzhO#w0vFL!Q}2bQCM%B^t!h? zNye&ror3cp0uzf{g+|qSvWSZBUKacH>(}ms{Cg21RuHE4iF6RA>@^U1v-0^EEcZbw zEIc#{M(lom5@K!Z1xMUVVAy;R4TzWPUEn_CYIEVnEH|F1C@VWq&$uMAtK8y1n8VH! zi+2pzAbl?Hxlg0bwK%z$bGuDgFhRm|w0KtL#;#-bO7Tl-FTinnLdF>eGc>8S7UVQ? zpg(_JRCqBFqLbxjzl^_m0Zyu)+wLAsO`R4Ou`^wsE{Si_Jv3* z$$N#wf9vX1+SOeIsb~tr7V|Sf#ms_?1ys?lAx(dZmZ>iT`F2@4H8*z*vSD_|1y>CO zLGeL}UAsJy@T0oWABkQetrCLzEJfCYy<#rcYq4@#3Eak&z;xzuhp0Jg(LJ1*kzpc3 zK>>{q@le}<`3lILm+dmwtqWx?NU~JK#))Xw?7KWIwO)fNq?7+9z=L@X?l7;LMC$>ifIiSoOc0?A|<7Y zpz1#Z6WDZ8RFKP@ol{FA2<}8*Pp?i{U>xfaR3bWzjo+ceat{=qPO^9N!xzhBRObYN z#>DovHj&UTj|hLJ^Dd$2MhelA6CI0cE|WBeOEFG1W+Z9pua7E30Oqkv0iAX0_U)Za z7vvL|eh>(&4iQ*DMj)u^y*7ZlOIxg3|U2Z~`lsAoVo=---@9!z-Rh_zlJ66%Tg z8pTeLF}x4jx|ZYX4Lwb85DTLXx6&a>rn;$mWqP>HM}dLL;# z#>`iBL_!-|cQBx+l`X5Gal)^a-bVzjmy2aUE^O~58p4pPP?do6M6#|QBNTsnHKK4y zaWT>QT*}vGql#zt^{v^sk$w|XDf!;g7w~AIf+l*B(i)w$rqQ~@nVRzN|L~%<)mn`3 z$dZH6>^6qR{KGl+Pyn%$g{3Y91rv;_M{*L9l5zqRKKJyj8x(5?txBEk7M<_bi^-!- z9#1DzhJSxS;|8LY3aa(7@yBo9y+gkgN(QtQ(@NQH<+8)*+SEjUufY9t!uoga+yQTK zDDEd+i+HlG%>7mNOWOCFfkl(>jxoE@Buq#A2ny&Kx!7aSpaw-O%DJ|9* znr(%d0Y|ai@MC3_nL+WI`$6-au&QFfkjoXsQv4t(?dXN2Ser|vMh>!I2u6%N`E?^9 z?vVWZFE>Usb>MpjVNZ^8A5YWD+<{bRz37?HI+IZ&Vq;`f4f3Lf0}wCFAmHma`vLiU$m#mPuF6X-%iiT znH(P%SiBexsGZZPsYILC04t3!B@q)NEzJc03pLAO>^kuTR}IVM8(lXp?3Li}W~Qd5 z;K#`L3~ZUqrVOG5-Gd9R(g9|6qEFcB*s&G_ymG?Aks^gBSrCUB{7Z~9!QDc@P6YL6 z2HmgU2<53Wbk(RXV9Q(j;%xS{UO0BVJBr;B4#U& z_wL=BLoQ&!ERMfKOEQ|RX>Q?pB2NG)tyshc1VG7;T@}uAu6Xk>fSjzH(jz$x$2V6C zI>>q@JZO{ZaL=M5q8P$|5`IiSanCUghEJ!a33t&-aoE7Lb#x?qs}oeadwYe}t;^s& z9v&S<>zm~}QT0ImdaAp-``*2Kv44O)1t6PQ6|bL)H66uK#g+_!Sm;^t(%gVF8$aL5 zb{l*kN_U=kw!GB2kwm$Xm(54E@lI!LR6YF}HLK^jd%PQ*7ck+vrt{F_SAD=gD>x(s zGKmjDrqZkg!35Cz;M2>Wh`oM2C4hvWiM|QAoEj-}b^(~7Zbfj?<|{>O=Or?e3aoW1 z6kv@RHRVy4tz22QW%ew%?Sc$e$;{Uxn656=86lI8pYTX0s;%Jj-d!he$HvxSvy~e! zrLjdzy1|K|Iqe?^O=;18*jM>4dVjOn0=-AO<+psk(WDW;yhbLx*)RfGRu=$0p);hD zhW$y{fc-akS)gQK+05F8-Xb6QTVdhhz%b^c@U>FAFDfS!j>fi{8k3SF^e2^9BI!Y8 z;b(WeLBVrF`b1`8^}Ba%7+8K?c8QM8u@e_XlVla1>0fn!giJv*p`o}D|^ec9!=$+5}ziQyA|iDO?v#A)TJDJfnZ#mD517Iwf9g)$;@ zO)g*sDxj>2>RSqZL^JUS1icl5RD@PE(xz{3Xl?8Ao#JrN8EPxX!_1hNoWw3X#uuP2 zJE5>~-p&C~8n>i+e0EiD7SD)rr1kA!Gw^Q_!{0Ndrj4^5!qq_C0l zH8clDz(VE-tmH%|#|Y>R>FwK%W5ByNKkSMkj5Hsq-91$uOVrr_mi3Wrc z+L*B!BaZ}tGGl2Qo+2{T*XN=XkEpr28}NftQ)Wq4>AxhZ z;uYXJ^q`b0Sg_8FkvodvyD9_`!KUxOtqN?Tc+&=ntDXj)k`9yP6yR9gTQPDp=$d=H z9fN~|aH?@8TDxON(k0)k9o3(IGPgx*ggG>yERKsdVU0l9OHO zIt4&qHNw9j&IFH>PkBwx%tX(xTObIe6e?lyEDO_L6|7==t~rw&r-8&${_q zbNiiO;{oRc4#AEL>`DEOKeso{fq&tO|9$Ura`6U3%j2GALqatlKa!zv)+E6S#L6PJ z!$4#S^#H^X7z9-??rsv^9aSb+GPcSYxY_aU-(thAe1| zvSu1Y|6_1&%dRMfTF;@lyCR}1R?q^dhhs6$QSwTos*T4t}MZ!?jD z?SZD}nQsMrN*4kBv~tawG#|zZtfBE61}iC*e8CkfR|W|FaxT-h0OHp9PZIh!pNr25 z5iH-7`q!u3mJH5y^6Xr)fZ!-rDflPD``_=x_LFc_T-iWW^hIX-7AtFOYyhN1Jz{El zKPM3Y6y(3TMn`pZPJX_*2C*%cS+yP%9?(Ns71q0Mz?1v%p=|k7Z*MQr3vu|zrAwv3 zI0^9T(6I*~n<)WHzN?SVnugdbS4@r^p{<>5AEHbW!TAl{g4G}<`I-=!!8}@4lK@Bw zbD#zfTf4v}PUD`;w<5Mw>&DJPzXuj+PlG#0dfMG1vt!4bsw(pss0Ck{%oXf9ILg7> z$`SOdWx?4fbi)JxukG_~g=Y#|meqG-6Qb5Z2*eN40V zH5<|5@r4l9M5LW_k8x$gxa_96?F6n`}hU;YXW76P^hoB|j51ipUq)0MH#X14h)$(kOHUhL@vF45I?7a?{x5QIA>&&#AR#Uz$RTVbn;ir2smK zlLb$=vztAY=n>b6J*W0u6G<%W#s)Ct4^(!UEYU`LwcNg@P&B!)s3_+>C-K*$QT|w* zvq|ySeIaN@Ima}DS)l*oU2h`HHYj*D%PKuv0NMWjBE>PzT6A07V=gbrE?XiaE}km0 zEB3FlF6fM&RylF%kxA1YpS^p3+Fn{%Xr=KKDl@7c<_Hqi(ue~Z1dW6cx>|pd%Lxby zYDM*l=JF}bQOwP(3ha)>0U9;UNz2b~nACw;XCD^M#a@6s>CbjOgsi z)+b)f5%@m_10gZ*c#VqcSy7R7r@?MaQRrhV7SWD>Tsp4NuWJos3jQoftr>%GKD_lO zU{ou)iAage6VAQXNNjkJZ?*c2x|-U@)>duyd2h5PX9DiAr?Mhq{7D-$$cn0}$8@;B z45folTI;(*KNu~~Z3$z`T3%qVvWsj$v9M=>u}_26BF|!Hr7@KF`kl@ZrV zdgGoCTRdqVosEs+l`@608omLQ&&XR287(W%JyI_^u}4+4dLazjl8 z%2f|4(ILDv6+|?#b5YJ=D=KVZPEIMOCgK~pKKWJ+Y0WI(=ELQ$UuPeE^b)GAZQKRF zzKP#uA06FAdrxfA(}+gEd=cLKxJJ*R8fgw2$5uw&RB*AJVl zeinW%RnSIb`^J`<-$K`2BRLt2%<{@V9Iu=I0wcHm(zLhqeFa*`#&O1i7Mbb{>>+U7 zo*MY2dGk&Rp#(BTbp9%}FBj zu$KUxyJOd`|EIMtk81i%+wMEHFl|AUvbjO6MRCO)MMA~`il8Eb3lWK;Wf28bK#W2< z)fQPSE>J2cXaLy?jLM=&NF59)4n-gkl}*`%M8F_FvXJGyo;dGz&UeoDhx*5yo=$Bs zd7kIK?`yk_3d`@_-Ce@gI@Xv#l3J@p_;fPibD~|%j(Lno4o8(-`L4l<4{g-RvEIxB ztgtnEO}2QX1pEY*UU2yy>DQ67?7wqoFkV0*VfjM0B7S6j^kBxoo_}KYrm8K}+qhSn z+KP20!W$VPwV0<40%pSC1;@tmCU>b4?yL=;C*)oUw_Y#ZY6f*7L}9xk6d+&v4mdD=hNtj`?gig<}|Ks3tNR>{8 zk;qLWK5++3j&aZ2aBI^KoqWxQqxjoRww!Ex@xt)|QJG1C%O^18Vzwm;Y}4Z6K~#5& zq5ugVZGrfWqeNk9y5y*W;SM2+OaGiZ{N{}ym05BH=GoTzWp#M>#S|t!z_NzpSd+<&!_JCC~HT)#iR9ZAY_J? z9ytyIV)`MjR*Sx8_wIlaS35!+D4?EodhF`r;;52HrKWu#a_`I#o_o?)F?pg80(B1+ z(rY*_5Z>#zXn@$7i4Hz`^5ors$}XsNQK1Ts)0mCY9NjrRkQMcN1>wXflh~iSI6FU0 zMcUP~ZDRbgJD^W-kaYY3M%?vkS-v;?;XNHAtflo&u&N_4m zKgae20GmjI*;$;0<`-7f;Bq)ElVx}ZuWY`FWM00KRFUX1{J&*oqBa9yi}|^^+lqO* z6COrgO-&%ijoqVRSS2NWaTAN~6Qg7_=nkqOt^gq!_W<8I34chNABQ7mcr64ienoLg zuKJf>CO1;aKJDUAGyKax)734o=m+SA*g$60;oO+KmArvXCz26OfvO%ec}A0xw52jg zgDa}4e4^;cE_-pftdst5*4C7^W~fHjm(&o1ObvYsb^S8xT4PBk;F}lQy8J*Co4c#v z^jPkx!p&ny{aLJvk}O2!RvbN#SrLv!oNp1oq`W--Qrl2OVLiIki}sX$_|a1lYs4$q z>eGc{E=D^i3UFoYs5PU+Ifx@H^}2uuE9k&z^n5 zje4Dzlb*Wn#FB|#odY*M(~t~bBa10hE?mBhRyHlTBF|0#P}GoDIuhl=HJ@kR8xCK0UY`U{}FI z#8r7G@z7Bxb@d$s7Kh`2W1K957|P*DDoOnS5W|gRG8WMkMR4r^0!8%wjUe zd( zLJn>Sqt?fVGy*T9qVdxQEWQafzc_j~M#kK9z#$d1=fEgSeFztGZ^Cd;dVJQZHCLCA zm`5C0axT^zk?tH&WW0T*KfvFtGm#rM=tSM0y(QgFPI#ci#Msyyfqxsh9qHRB8j;^{ zh>W~zg)-%11l7(e$lw(T>9-h#92xikoOMM+X0+?nS#yCruhbvdTlwKqo2*5tqm%Jr zF&pu13U90e-#0cszB9J+SYOM3xj57Qzt#uZK!8Kk6bT ztlYf3M&T7?5xQ5F{05e0_}Q&F_`_>aE@Cv0(4J**WDs}*f^reKxkm$9sl#)`p`ry* zJlD^3$glibIMyd2Ua=Os8LQ4g#6e_c_K4IgAN5zBmLEfRSCTDq1#=y7&$~$pus<$l zKX597A@~{1nhUMZ1rs<~E?>H|@`zvKwczDfwr1EbuD2E?4yWy{=me5KxDhcH8yy|3 zbRhhSbGc-n5LO!lX!)m~@`Ut#e|+LFvm1@nP+;AYC&do_z>5dRH{)q-q5X7DbOi*? zjjHp;rlvtd8mJbXC=%(-Q6lC$$4Y}toOYQXx+6iu_;>_`7^(NolGqp3jurX@D$0fZ zNMRG68ZTPEOand7`SFN(kaBcU3zjTdE$~HnMPWGGCng5!P|24R3yl8j#$t0adLGri zT|L;Hqtqx_*AcmTT$~76EfqGA=Htwq|Jast>C!j0dQj6j$r0OSSqJAzaIX4a@G?T| z^5!cy34$?=jf|e^p1FfFh7!Yg2UOqL-`WA{Mqw%)8YLruboJMC%+`B*Uu~`4rpPSA zD{iF$BBkHbfU1%hy?cxtj9%6>i;q<5pmZ_jgYEYuW7O6lk0S4TobX%lrvuJ`SO}g| znmuqQzdLykNkCnbB|@-?nA(F*(lu0HX%(Mg{Fms1@C71h@yy|VOwjS&2-?6nDG+1u zpVDCsM5>iVcexC#0E~5qG=)XSDC9_P|H0L1#_!5YOJgr#u!!x(@g`1~9wN)G>w5MK zE$RlqSl|?sWju{)grh`Fg<&TlF79^QP+Xc<$y%g{lHX$EfSZGMd!YXXqzMCWr?yz1 zhZm(XQo^yq=SU(m75j^*r59^p!L9MV^^ngWOw)CwP6LK&lFx?hhpkb^J;3=Lc=N{7 ztqL9_RA)-H7PA9?nS=HJdfIr3m)iNqllTf~sxJ{6owz3r`3#%HxDQ8XY=GzT#*$XJ zx*REj8;p{u+){EN;x?oOsOYXP!NK zW?$Ob7JPpQ)Zfz-<{0Z=2bb4p&^2KHd@VQzqf%+k=UnG518ZT-7}a~p(iNWOhH&0a z08ma6B2PnqpKV^O4sOXj*}E@a_GM%uJj(Xr)}Kw9hbBL#@b0A92QTyGoo=Zz%<_pfeGt0gduFzpR!V2+F! zO1quXa&(2R(=||L`Ba2$N}?}Xv}o0;9bJ|eigrbu+r5ZEPAF9cqc%ShL{|SC1-si=eJl*i-TFD8kMhrkg61VHFhRWJu zR)3Qc>KCF^pf|+~qBTPXg`fwoF@8Bwz?pbB(@0mcy}IN?ND!I^dwz$^4{xb4wF1R0 zh=%sgumwqkD7uI=uVW$!Dx8bKtEnv%Tn1bO9GPl}jqt+rRV-HMzX-~(?4*N3b@-Zb z04awq#82GsQf>7-Ny?>$oOd}SWrg8f=#LCr?i_q<=&rtcb*6*98Id!!#_-{jb(BL+ zeLJ*%V8!b&u3qwDy5YNXL5=UD>iCki?6S*qXdG_iB4%% zPO*98bzrD?DH85vLvOMh0jO$QuX3V0P;Rm5csT3T`k2=kukTuQp)+qj%l5zVnN9l3 zm;2l+yA#7`CT3<sk<+{#~F>cN=0`k8g4ie|53@9<=4Ul@}kZ(hbNJcy(sc3?ioB4uV5PbJ{gd|e!?@-gD)>do<82gqT}9Rq zC-ot3s`5Ko1O`cA*wH6-btOAVqE7g67)`1fVq*8&Xkp)!wyPXInSi}0P*%14@_@j= zL5emQT46Vuqr?-oddky{kY)Wa_w?mQj~=16foWh!EKvK-&OJRbWBK@}2{lvbeXh(| zczTZZ{b0{w($&W5w#g3nJGNR>#dh=PlouMvsG#m!yYCK|hxRvruv7MLk9^M(Y~D#i z`kKg`=96Os?v#w^cytReq2tspxQI~`YYGH7{y4gx-SE9s$-2L!Tu>sj`H+ck5j3F0 zVv>#8^POh{xW-aYMN#tX$Jz312~s1jU`SyR!#1D{1$C*0G%3P`mw+e0al;4!4T39| zYmQcB7DRF8=+}M#SC_o6ye$geFX$AYAW4>iYa%k$s9P9WqT!z&iZ}(pcNHFbKF%>)`S1XkpY{KGa%QBslx zCLTZ9LLIVR#kK*e2{3%QL=$a?Id2((elhTh_=}iT?T1S9r5?h^Bmd`ES@Ei0-JRS+ z;i+6ny@u4oWQXCjX@kSAT8In^T$4WdS&aI~gwjfNo_u}nXGH`GtEgrbQX=yxUmzoa zg~SCXWU!$tyHO;BYRriOY!x?ZYHAukYHDm8xHkl+pLyz(6cU*NDRHZ$68o-#MER$* z_7CJfe-$>Z`+VL2mH7DJ7yA0E1U0A?1CaBS^qcY%r>~0Z`pYM7f-|~lH*$G*f0~Cr z;5!&{y1Yi9d8mQz-5g%21&Wj7&?rE&tq>XL>vPfP)RuNkIg`itl?-sjeSO*CpM!}o z>MFL-*y=@o>qghhjxn}#WuCeV#Jh3v{3wU{^Nj(0!&++B%vB~b3I zh;Q`FmfaTwsvjVT{f(0&? z(NL<=o;3lZdeE=8K;j`DGof)M88*yfJm;}-Y*Ahg+7iJ#A_a%Mo2CH*{SECfRvUm0diF$`Ts?R! z=z6Ii9&Pt!xL5-oXBb#4bKm;$lPAqD8o)eFJH*9LcsnG+#1)P~mYS3?HTs9Wo^0$^ zD4tXm+Yv0RIEf`2dZj-2*8oKTF>gRSjrx5cH@ct1Fc9e1N}IqT*VUh%C2dLNFDGgo z)^`pLG{x!AH8X9LpLVSqkY#M8*m-H?;V3W_o0Ir#p;`wSLIlj@?)zK9*<#SIy5ID$6(u@9`;AlrAB^> z7LYD~jN1XYmY|33N_;hNMO}n_(2ztd<>%bGB|&w>jRChCC&&A-_VBZR;GIb(vo8)8 zULb{Bp7-#+cMu7p$QCxH_-CoB;HaJv0HzbEs`aNlg2f=blKlY z7x{ZpQ7h~CCa%0c4QQZ95>hGodANS2k00o!O`!R6 zqGe!DVp}KhBgo|P^E20OU#7lxq7&M_sf+i6%d_bSyL?ma9I}L3w~Gup!$&Y-F@$EO zrmu%xA)?}xW)QqCHyuLo`1dFt5<1aI(qvoe7-`X16#ni zQE!bzbb)s`m_#`0o69w4G#?J?Xj%D}7Z>T|_27rO#|lMwCi)DphJY=1bR)5jd`!jW zc|^sDQM`qbXcY|&8aiE%L?W|=itieLOEY*VeB5bBpqRQBK}aVz3a%2N5I!30C4f9m z9Q{{4J)^!Z49gHmJ6c>shga2!x9hk1ekei;YEi`7kpvJYfp$w9QvMr`!j`LR+&xs} zEb+rm0H~LC;0)r@ERf*Sq3s^UA%Q14@ND(-0IiGz!c|I!SRQv85qu*)Q&CUBWVplA zGxxOyqMHcqVw!Q-`7F zznGbzt_LIE74s|hUxv&*F`Ma^7iWkH3?Js zng)$Bag2LzC(e=g!=P-;S8x)g1b;qe(s;jN#vgbTc-RDFzTrYt*G*!;`(IAF|F<9i z|6h9TE@mhG{th3NXdP9FcNp-DNWz|I>&mitB^FQo@u`884y>oWaCUjP5hu~66B?x1 zu*Whj=IbDLwBXJi58AzsVAA@sDs$Ijw*}fbjtq9U6lU~VM1d_M)emDNQ;9r461XI0 za#`Vf_JGB`0B}}&oZtn;NS*u=qc`*vHCQ=hX_@yB_ByhTL6nTYz>ypRA__p#c5(*t zU!g$X+x4mpju6z0K$=~tc^QDmLkA9IvXlsz%CeX`eL4%{hFS0avDQ5y@UQvM)IXW} z$PhuDAHC*H$NgOlFhQ-bm*kIxBABY~@niP{HoSMRs5nt>SJxbc?=`x;S<{NGY{XtTQqVDJQ5!aa_M*!`aj*<#Z8fF$IUGiv#@s*Ju7K1k z3{O{4X3os>Q7+qZ2C#T3^g$W#x%RqRFt3(BkCRhALkS)P(; zuLwYF&6{_cGapT9aXX;yKH%QeQ~HZxAg0|#rd?{6R>|+^Apw|vQN0O&;!h3iuA5cD z;RT%;k{;&QkmFWR;L81t?6DHC^N?BQuHNNyGMntugI^#)hJsmOrfhPxZV?LOM~TIU zt0}G=B?7CK%Mco^0uo9i2KK;^kX?xgpa#yTm~7L?KY~R`4@?x$!XSRXz|ad)`FtM2 z8pQo6;~PbIDrwMB13-v54wPI`e;eZB!ig=Zr(vdQa=nn6$`bB9F<+;6@BK3TCP4$F z(&9ZKK0eq^)T7mPI>{kFCgs{3xTDpO25xxB!%@6ZSN9aQcJfYwHQV#)hQ~nx#CqB9 zDs@2(15>Gm{$fQi#R?gTVUtLrU7Ir?i>xyt|I@OeRoZBN(vgO)?WPqQE5CB-Ch>13 zA_%s_8+Zx6nA3}f^!BbVOrTTyg9FMuHMELSLJF6}tW7`h z9(Y92rH6RzIN;@md>9W&lAn3`k&mTw zMn^a`4&oK)wVX3V_lGH>c^5svT13+p5}a32QK3DVSl{5~N$g5a5{#xY@J50jZG0iS zldVx<+N5MCSP&sAG2sLBe+%#AHl7dW2$Mb@dRmxwU|uus!9kf*HxgzGl0(pw zmYV7)$N#*ExX)4^NTl5y`EzK!q{%O?8**x7!OEcIBdfdCoX#o>=~`lIfncinb?n|p zQ!{Cc996^`>lE_}#y|f;K1N91_=_M>Oaq{q6Ygrv!8oS{wdi4CM0%`f6(76jC_%A4 z5gPgy^}nSDIv2q^u)poV=xc#ePV;SEcXdg*PSXQHN6H&W_XHVOM;A~?c5MA@dk&H` zOsmGmn;KjY-HPx~HGHCRqo~Gd#gDo;#7yLd%>;E!FR#F>)imp&8s%%c6XhJ@(;)#%k4{TOX|Q{ffG(x2 z;NhSkz23eN9z4Rrr1#^?`sP^ z;QAa^DY4vEQ~+fr)6)&+G%Fq=YKmtT8ME0M+)6}f2fffkBVpc=ftwe^eGUhV69vcT zJ(?FLfs6{?hD38NOmUQ&oS{*Y2qe%%s}Axw;%A>~xsKU4)s!S3wic3)$E0zDGla8= zXOJ;L_xqPwp?p^%0}A5?@e{HQB`zhMk1n@8OZe6oWjhFtqmsV}AK)fU2w2eblT2Pz z0}|}ET>C)n`>Qr_>4UnsACi7DX^#XX;Us|_%#cr*G%d6M^zq=q-VwIu6eYu>snxux zA#UI((VX-neQEBH+t#hW_$r~M&RUG_N8Xqiot38{@vt&LScrk(c_uP(0Xu?sC6ef2 z=KVgb6}}2k!qCgdM~y#sfq#VUHT3al!StbAQGV4}|IK*~z7>pi-_*g;U+Pyso&S;` z(42RNV12R*N3TQ#MHi1#0#AAdP* z_2J)g)u8WVN8PS0cS=I6J8~q@NJ1+D;=qdNf!dtmj{PQ|jc%W##CUBZP|t*`2^F>~ z+K+(0h(P_S&&|c9yRF{_zx4`WP*O$HydXF(O((%hHX~qsv%47RxAN1Oip8$^5E7Jh zqNMFeA~S7}hNKde(h)8^L!;~pT9`yx3+zm9Sg6%GDW`L8j30-hmzT<8!L zTk(FO^=kzyI#`z(;7+1goFs@9xKLHp!x`g{oh7RCQ|(;QF+mK!6z7sJ!?=^^GXh{M z`^-P_H@}Xv5wK8PN^7L0F&!{%5kGBytpQRPlQh}jL68QM(3}BD#-QomIZ5@}hw`IX z5f+uatbu=TK^zHS1J;IGZrlUz$hwY)U>$cQQZG*-Jd?tM^$an~+!XZc^)_8f z$h!qS<$wt$4AINIQcsNR((}1@tdG<)suwNr6Qa?k1HH|a0Xl=eCclOMhQ1?t$?T;|L!mv2dw|fHi@E8L*ntp% z+o0=QnIkV+Si_Izx9c#TDL?ui<3ZlJ8Tq+tp4&B!}U+V2>f1n*GV z$!boK1cf0XHWqLoCKJTuLZf<$eeUR*y}|m9tDwJi9|gc*c4*2>?FlcC=2xH^pBsgb zPq0k|i>hIZHabZSw)tMTq5c=b2V|=+Nj_l{+cKLNdJ&{Oo1;V-Xk~FB338&^F=*kY z9-rZW?(xRzv<}2c-sdTVlJ;8M8 zD0%P9AzCjk1n*I=ZZH3EK27^bzjZb-D4YOn@v1xOGJuK>i&rBfyxZw2(^`4OH%hC^AbtuvIhnbO=X*FE@vov=h5Y{RpR^F zh(}X=HP_am&)Y$>$H)!Jo#c{$*nY<-ZfBnTt(Vi&m*o2+^73ael< z9mj$_x~Xc9-pn;mGsQL!#oN`jMnG3|KEnD_XD_|&wSabO_;+`rNSF3&V1sg$SR;iR zqy%hw5N;FJ!ry;kjV{u4M_pBDu+(@L1U=X^hR^$vy~5iKo$cCYujL{{YgQI$6O z?pXsVBSQi1byCP7UfL-zYf=WONwP5UaFN@hRS*y`GbN?~+|0+&hBN z&}@&@D8$7G&_*&GgdID&Nj^FlR%m>XNti4{WJX2DFs?EJ2&wpFoD>L4GOu9Yhk4X) zC>+V;81;I8`TGY%bl+#g{i>+5@7-RUsklW0PJh-dh_2H`6wb%6L42$aRoj67Anw!r bhv^-YT@!yCIgX$8lTA)r9gDu(_v3#8ofgH@ literal 0 HcmV?d00001 diff --git a/assets/monero.png b/assets/monero.png new file mode 100644 index 0000000000000000000000000000000000000000..d5d3a86f1d01376a472f3cdd04255fd7188d66a6 GIT binary patch literal 37794 zcmeFZd0bQH+BNKKTL-i_E8>h3gUp~IZ2=WQ0Rce}kQro@nFvX%Rs>WOQ3M1u%4|Rd zL_tU`qM~AC2#7Ki5P?KMhRqO2@~w?M=jro)&+q%*^Y*;|o%BbEB-z>f-uHc7>so7F zcZAV_J@dX>@!gauQ|9UI)j2q2%Jj4NiTGw3{_^%h;;t!ErcQIR&~w()+dAbN{0;A% zI%CRIJUcrbPyc)#f#=hvPM?BbQ_kS$dpsxKL;kFoI&<>(IXqwa=kr)R-~8u$$Zy&) zb=s79_;Vzq9b;7XJ0SO7Wb0d^7pqUOXd@{Ey#z^!6LAQIy-EAg82`&nqY@ zYbvN}Dk!emp`xjxpt(bR%Csrp#C$y?@+fO=Pn)t4zZ=Pa;Gtx{!$DDfhqA1?lB2V% zvXh3AteuL3ldOY-vy+CMnu>;lI*yyrCaS^rZgbPtHZpN{vzsy{_o1b(N&$1p@%0!wPJRx)Za)5Q-d=0SW7^q!2l!Lg zt;6eU{&9YuKKu9o^YC7Ne~tpiLq6EfM}CK#g1o1v{9ixe=dT-xgZz0y|Klh8OhbH} zmeK+{`q;I0AG*E%W-s&ck*!Z#9RIFtvmkPSCUKVpPwLy zz{SneXYx}R?Em&oe>dm<8m#|zZsaSIm-E*X!N>o3-2e9Oe_Z?IoAIvw`!#jE9RkSH z)6=1>BfnqM(c8hzQFHRCn!2K$lY@$ytfP|J4q0W#9Zs@#b~`j=6;$oj6jYp*)tnR^ z|8gijFF$`fF9#>`P&l}p8;)b=41L`&EA2e~dRFA29C0WG6(t81dwXSBCq)$nS!J~yO0xE9N-DCdj&=@84tDBx zI~<)S59R2fx!c><(+;=O&C|}sN#4iHW%31bz%_p~(xa?XlvDVxzZiMg`8(qSlywGf zUID@X^@6FJr;~}l9XXmi)OM&Tsj90gDkv-MP*>LYuQwfX^7X?^B#${66enLHZ;K`_ z1_NtH&Qly<^6$77O>JK%JAZFqQ*Un%%DR7s(|^9aAIr(n&fiYQ&ff_K{bztR{YQY6 zRZ!DZ_+j(`2v*MEArO)jN1 zYbF zRaSJcleJTIP?uFxc6L_Oa8$C>P*s{7g?}F1&)eBQ$j;a4M;DAE#tPGOGWD$4Jb9zG z{P%YUxjK<|0Rx5!DyyLQ=YT0H{5fFqe_pUW88iNI#k=JHUt_Xs@(q6pGWgurzae-b z7RvuK82&kCIN$%9k3a9l|IM#hv*tfv@-L0=e}?Nn!}TwXz`yk7|IDuc4A;Lj0{_yR z|1-P(ZNv55f0a{CUO+)XD3*e10x2l9zV+FA*l)^|Ig;eh)F}zqm*J1I{q^?i&hDBu zZHeNdi6~=K-D{@k>HKIK{QmQYkkHtU2C=Xr*N#zowXiQr+qUs>g>8G z)3>vp&ieJ_G`VtSH>>KTWmenChfNmW9;%IuJS*C8?T7Q*PyTZ8uHjE-F3xzN*kG4T z4Ymnu;`F(NCGGJ#@aRlvGh^&|(1lg?AxZTb&tKoDnJrECBFTUpH5vU!Dw~{7t+Wp8mX0;Tm55`3cDm995W!|DW1IzU3%MU(7PW|GvI9Hw{m}zP8MOBnl>9 zoBZ&U$=AMqc=ENcAO1f)@Xxl9*=a=%&o4L~&u!T68_;ymA-q(OsOC-YDX6ap ziz@dW_^1~~kO#K4m8Vst>c?GJrLpeiwoSr`iMbCoq9P*~UGDDgo-b5*6R(t>UBY&y z-03YH?_K!^t$$8?dMNJSzw6fh;PPn2&2RG>CVC260+V$6y1HJxc=6Vp!LMT(Qixbu zv;DoZyrqj4ogK)1Jn*u(uQWT^aPQtx(Rkl^KlW8Q>mnD%O`l;Y$YWnE?-*1SI7U}^Jr;9Jw0QN_xpT3zL1o;M*Dd+RgZT!l5?}NvNAJ`Tf|qcTv;k_W6Cj1-W9^lGUEwfU)$mE z?A&tRSVNvm%C3-u6t-hUjMJ;D<goz2PlSZH^|%amRqg&DVOc*|XXU+r|9&&}$3Ol!T6OeT zUW13~hq1v<6{4@R(NbX?I(}#^}gz_)TQd*Wn@hM?dPf2 z_tyJRrvAH@zxA)#>s76-tab)|wrC$}Z)@}Y;If+S?Zo;{Ei`_nz1CIVn_zXkv^vmT8intQoM6 zA}($bdQ~xXDYPM@*Kx72dkdewj#rXqOdQ`o-cza8Qd^XwoA|_0F^u4vx3;zlc!h<9 z+2K1iH6K5I{CinhSXkI%+jTUH+hdWD-&GM0^7HqOFZ}kq@4n~aHZLL=y^R{iRPu&| zOVcyx*EVd}a8^JK{Cus#@nA07r}g*WfB%UPjE#*k`PTRB%ZGbDa0d&UY1v&g??)X= zqRN@cEjaZ%hx1kiF;}Sj{L%3$?tBfWu!X*I)vDJ=1#`x_(^JmXy#9IW^tlDpb{rcEUQAT(LYY{#u5@%7z_6& zs+Np2pP0P6hS$}PHx&i&h{3_Z)VS-hu|o|mDQ=b=#K*`;PNG`hXn#9z43pl})U@k^ zL}624VtDwTLa(MpgIMdmy}fJKuH}udrBJMG#T^|TOmc#im6dS^$4B~>atkfCZ@R2^ zTwIu+e>*KLYpJ(~$08NK-o{6l*6+#cOiWDFC0@OJ+1P|d-q-u-Q(BC-rza~bEAs4F zpMU_f&*?=)np?NNY&hI)6%(~oe&0xRUY_6K!}0dPh%J3=aVf3;{7SXb!8bd3;jOZT zjrRk4ED3><%bV*OerYs%&-;Rs6C;N>`i9AfI4p~MOf1#Nv6*w0oSk2`QUB_lBaaSJ z#BuBir7{6Ck=*6Ze*!})ALh=N`bGk@;u45%;#3S9Y zPPw^HKElFETthRnvz1;r4-XDzvshen+af=mv9z>J#>c^1YEwS<^z?`m%DG7ze!F9- z0le5W(fDxB2@Yi>qeYQQrD{u^sjghUXpv(^8C6-?)c;#8EiKFOaP2?RLzlhjs=B2+ z)>;-WZ}s5y@mw_xjrc^7(u7c`JBE{JSI!;PZ5KN$lylBTM=zC{zkK=f?JNEkkoYS? zvCrB52gH&!0C zlsfzlSYprW5a5Q@#++P>du*I$8lwpK`JjUMf;POTPf+_+IB5^b$ui-=r? zXfTDl&AX|HTVB3#`*wpJw&vzCo?7baqvin^kkWcY(HZ(not(Da_p``YixnmzM z8!jqCN|Ke8HIuh7GP-!>%0|uC;(<8!mrZYuMy}jH(%YmPf?!}wAN|tm*ZJm(XmOZu ze00=;b*TMLdV|LjLUO@^H3CUQ9_AB&gw%?P3LfL9mZY9l42Br1ksvRD$K&ZpKEskj zZoi$(4(?~BMHPJL2`m=={_7lG;*b99lc!FlCW@mO6At9k6Yu-sho3X(p`jC}B(#<- zS+Zo=vW%D!f>_MOsi?&p2;PLBJ9n;6PwkxH|@bDKarJ(Ixg=SXH4t``?!CP9oj)Aj|c) z>3TIY?g#Mekj<0CUOk(OHED9(9p0v^v556 z+_x{1M#X}aWV!hGd?9C>dM-L$=MekvS&}YtJA)H`>rP?AvGo?T`4Vhb$6HK%5UE66BvlV;Rlpbk)E0w zu{yA-QZe4()m7OOd{$vCpDi5zuu|2-D3^hNamTv&P>Bd*zf|r>28mM!dYg*5gGiLG z;^fUaeeVnOX^g!4_lw>n_8}X-no+Ggy9NuTw~|)Jr8RBorR7Mm%dZafFAnNMrX~wZF4SkfFTE2!;oSWOnJ+31>b-BUgka(M=T4JTM zWJgcnIG6K%g5Z&6n?BV&BJd6S*&eCzD?`qYii_RDf&;uo7cVX_wh<0~F}r#5Ci8Jy z=lPYh$|_Wz7>-Tx+RSSqY!EksBItH+U)I;h?F^Q3a&%Pp7f+uxcR|N&iPhU*%52;i zkV(v#tg8M}IsKnjRT;i2KS@eSNv&SJy78QQYDUK1SOAFV&Enw?-YzaK*`1x0iS_T_ zXC;%P%^q!=LrlC$+NmofgI2I;tdl!PBJ2z?T`0J6^=hPL0+v(S{=`LPdCrvyKoYcm zS*r&V?b2c+PWYKKbzE+QfPo4JH+50j^x5-w(I+0#`cYqDeNEyo-AVw<(Xp}2&eZTL zu7k?T%KmMaS_<6j-`><-d|7gn!Nodi=%`O$bBS5ZN;R*?NY$wXCu!$Wa+Oc;vU7F# zj90RS9u4<(DYh0Cn>|ad3cVIDUL4sPXG=d^E57ga%Gb}2kUH~qW-RSdHWr>ddGgMk z?ZiYcp3_EhcGQCzPai25y(sT`Fbp;r;uElJ&-pj<@TqK7IcDxwkhb zS>n6zVoGWyJUPvD6YCyMRK>BlcyxnRK;0YA6+(W5On?EI9BjEv3{hD}LncJ^n= zMh%TIqzj**AoJYZfWf`v?C!Kg6sTH6WnWtxvw+cUw+zwr7B4DZ<7_4^QMWK+00i{rRC?Z})DVr_E+uPgQxwH3oJ0}85wAH7wr z8qU0zm^yVTQ`8dDDWy&HecnF4HiOChUA@xW)N~nd9uR(+k=jURdh+*#^umQzsq+V` zZtV%mocakft5a%Xmcy390TZo!e$}n;&C)AY@ZQ$1l$2cm60=}smN+A0bGQuykJUx) z$ijE@Dd#T8ty{;`x6ZwMSyH0=eE5?^?}^V1Cb4}r>4tGDp3a`T>}ZDQ)TvXtV;?^{ z;(S_L*S;JV2v($rXsbB;Jx*AC! zA0Q+)I4X{fj%IvZxpHN$DE!BPO_wX`>& zU0qtx3!eZ2h>6WUaNt04axyPOyT@=(E*6lzYGST~h6zI{Wt6@Ngh&WMrV@)dl*SSu{E51O!baJXlCV8}!THgykeE6^oudk`t z{GJFLkj|Bo$B#en9vE$pUdgi_125N%X$4ef9HLIUmukdR1vfB43A2o zG#MH0v$09m?hBtfeb(8W5!6G7-5#n@g8HgcIJvVa0~87+sIR$)&(F@JySjEE4iJR& z;>AuGE+04?&Wy&*I<|$&&Sz)y@d^t5htUc*0A-g7xZzw%6adV0HR-^Y&|G($D}GZUpw9*8=7_UOW+$`c$zP=bGp z!u>fmdtt)e4?V?!Jpg@GRaINZPy&=cd&c9ZGnqfd7B+a`C9I&x$jE~g2rh{Ro4{+W zT6HH`V*Y&9#LBH>AUdlA?>rs=6K<9(t#CZ%>iUqxdNzfqmm>#21~wPC$I--?eU>AM zv6ar3OP|))t8Lhzv*XC&!w4B!HWR=7GQG00lE)7Tpk|Xbd4Rkdij2_E(AsgN|AFD* zL%SLeBx!CuwmZM!O$xOof`9(pIe#Q+y$1ya5rW)1ca&?(2IefV_9n|=N~%OuehLbA zZP_$`s=l;bH*Mcwby)}rXUxoagtfJGLFwR`Uw>V0FKzLX6*w<{7+2&`@Alz==ln3E z1M!OG%~#H?R6D?@l6jWN z8TsSMsYn8=OZN)kZO=J+ZchUev7J_PP=ZmWzArd_=_Y05eMl2rf`C@7`IsxTH#ak3fNfttzObNG~xrCua%a zU0^A1^Ee|}UQVvLC?H$lJU+9|#IyyZ^ws>dwA~}J^YM{yzcrqlqJDfG1S55IiygL> zmb9?}C&GEfiWMjx=lbT|##E7iS%{l7AamgQf(}fq0TYQD7AcFzi| zI{#5uYYt|(KtMANv$btO5kd%({D!g%cP_{`}S!GhfJyjuM<>W83}U_=k2Z)XPIT|5aANiIRR{zExXx>uYnA8 zOKK-cv6u4ACMJfdEpwzs>@a(7blEpGHtG=6v5%6*VMyi1!la!+kvzi$Wj#L4tMOr# ztAsv^#dCQrxTmQ?!z4|!5)l|k|J+WdZqyJf8jCYO#U&-I?t=KqL9dSVP=5`ffN)rt za|?n?CEO><6V*ugCaRDV2t+^ zf<(WQOGlp59g}BI43L#dir99UK~;ys!y~pkcI<$dBH(Qk&53996GT8``P_N)xSFod zo<2Q0fTaKVi~9)+w=j#_)22<+8M}K|L7NPUsRhy?O}f{(XApLiy4BwTuB&3Rk6Y^P z-TP&5&_oX$FCclgxtEt$^TXq}E?+h|crd0-f0o4RJAL~=l57i$$d@)Ii&y4VRKfEh7aPn50+|tx(yU znWfr@LG*kt2>)sPR(Q{+E0hU#FsHV35x@MG?kxL1AGzUh(Qx`}+5sl{*9PloBaQE*I)P6?%Sf z4swL%VC|BQimc&y4_Ue8i~K&lu6obOcdN6(}7vu@wkdF*|} zde6CKHH#EJqA2EUpPE2It)2AnjB-4-(S*ws#yVo@IGr{`~n%R0cT=k%>DM z82j$d`=FZl%4;Yn7){2E+XN{XJ>=(+=tzh&bZz25(5!vW9h zQQE&Njv?hS5+m@N^HLk%Z=}Cednz+!I{!mq?q+df%fu&4d!~dPQy{VH%Woqs3{KdX z;jDQpp01miP`ksN=&ng8WtX~nv+_Zxojf_MeMrgi#R6kdD()>vs)x}Fj`w`Gboqh> zza@#5gS}=x4i69S3exMIJzZX2en0y}^D+?phfk-h6+Tl|PY)SZu3!9D^(X0R@Gs>+Q|P#zrW9<)M0d5gF23 zs+<+#4Zs5y7qu)J#4N3P&z?l?g1(Xw8`Mw&!Hk(RQ`6J4>q&`&7z9f*Yu2o+k;}2M zwQL515VV92o(GA>iC(Gp253ut{KtF^vW(-rlD|7PFF@U&iSP*4fz)sl$39kEuGU{b z)I2IPX+lo+NF@bEfzY=z3P*i-bL zRnpRZZ*3E!wBEE8Nrq9}en6OP)S2=d+bK3>0O!9dXkk*4)OZRnvXu8cptG&5?X7U9 zU~t-$x1+0{e2*FP_gol1Ek_?<4d^SUS3+zYf&|VTi;ijm30hhi$`QlarzuuvJ#JlFMB%!bbp*F-$h)^flylR_&3N()7`r$ZD0g~zMJta78QN~R0kNJe2? zg*N000Jpy~zp#)o+~C54w3L=Y7wF}SETyjkGF6GdF9v&hdIGPb8r>&CJp(oy+z#01 z1n|jiu^=S|s>99Siy^w{lm~r&S5;ekyL2pCYUd`(1aM+4zpsVOE-A704?Z@Tef!&= zXLph*F$=IRi(Vbb6vxKKqUr~2D4y^GpI#N>bhe`QpjSb=*d4gtvOW~${QMHF!B3Sn zMOsK?_3y~jrn+c=0s!k$!obilsLQaEEQpt+vsnAx2ceGOY7T^cSA7g} zJX1uP4Z8QJ8w<&DkSBlmzK$saOn_y*UuA;Ie4(?l)5}HOf5>IYC-8tIP$6c}?d_Q! zNAoOn2oOaDz0y)6IJ=JY2?j&;-ZxZ-k1sCGZxX|bP*f`vv_;9=gb`-LvPEmUg94zM zq1IGVx||p+l_~Z)e#QUoQ+D~k$;({Pj#N@JADA{|OOHO!r+}YQBte}~c)`Yf?gZp1xS}z*Va5RS#PU9!4B;YQjtLOk+lztkowFzolAGQT_e=Oy)w`aQ7?) zj}S|Rod-%=?I6B^uVW60p%@WOFB#?mxO?E8ff~GZ?B&aSRfDB&HJgk(0YQ*ceik?f zV=3qo`uh5*QCl=u&6m=wef##}rAu}f!}V$E;2hp0sOVF`7t2^mXMzAR76A(b;2O73 z@qeV^L%HG#nG{6W%ue7uerxN^WWc0ia8*Q$+Ew3d>*?Xib&`^jJ({QxA_dE-^v4+@ zV1%t%RQI~=#=?-nPZ2y&&bm4}T~-``E$yC^M}D2hny3&iEyr6P`K8y1bZ4hdMNOG$ zd#BR5=KVR4+phgk$8Q!(dwci6$gn@rg)C7^LS})G?Av$${(T+(<+wPP3=u?~g5L03 zd!i!+5f?5j;pS#$R%t%!w(y&*F4w98Ll~1c!-bRFqsdn~R=b%+gwI>~=`Ftox_3_A z@>;f4&vnEXZEJ6kxDE~uj*c5TKe9IpWT(|9wdFokn_Die>F+>d_Mg{ICdt1S_YUS* zcOLXE?s)*A=8B`Wb<>%7D{Hr*h5;zoL~1}qw~<_MC;CdvOGG3>6Rz47Y-B1%USbL$ zvNB0wl_`L>Z)%$$ZVi{lY41M2BJ~;x!60|hN^jiw4f=UW3Z%FQ0Qw3eO=yW>hkk;R4 z8Vhx!mV^WcpIfDIa7RmBo%7j%!dR=G70Zro2nY%&{#N=c-Ui!m_?~F$DhqnCg zs0b4i(FP9Kw6UUM%Z3df6TM4~@1PpQHxIp_W3kiqQS(wCYO zGSwriiCq2E*6d1Cb8`}&tce0@F}1dql9uLZjTP3i`9)h1A9cr_JIQ_c=;U1ZAdm`bT)2FBW{ii2M`(ZfQtmd=k~G2=m(WV@-1&?UX3D|bq`{PU zYSz2~G8o1|iW79tFcz-gbKz`V-i;eSm@=UJFa_13)Z3MzKt8S9S)1#kNl%c2eTwGi}&eS^NHBkK6G^cnnjl1E3L&e68^LQbj0Z1fMYLy+OUuMDW{4 zvN}nr%h>p)jo6zpo;Y+BO139vA1{0mat=3TM1neDRMY{GLy9uxU!dk~(KHO~dGDkc zUt6!Fp%H=-lScrd?gHUOgwpAy>FJ%QYq*2R^*lx!QEv!zgp96dh@5wP9Sla zO`B{w``;i}yWc2)+}R0@>@%d|d&{HB*JY(#ySBOL9l#rSTHuJ{OOJ^ziy z_qwyZT+4!ed_oR6m@k|+e}1x7SP|`O*la-9bPao4QldLaoUlf=?b>yOk4i%|tg@cV z)fh6DLQ=5w?gd>us@3g+DpX>H^4=CfdRp2(i9(popunrRU#%k=;6-e@^yuNkvpH(8 zgu+I3A>cgXy0$15M!eupuj7qx?OuL6g)i=(cEJO-9#RwF4&r@EreZiMs&m7o1oVhf zxtVl53Chr0WY{6Dx!7wU3zrZ&P$AP8=dLSYJ&mS{)ET1C@L~hedD61`w@TozrAYWk z-r4=o{+mJvD?!U(Hkel6;wgwC0>KvK^rzWNMNi4mH>2G2($_;Zf3ib?MSp zy{Pg5aQ6EA7FZ-u6z^8Q1D~Bs{>XaRQpa1wHai}JR)6+vHxX`3QzyNs32|Cv99=4< zWgFVB3)O6m-QRPZxM2Z+Cc4i|@WKS1=*6_Ug)4|T?0gvr1?n}neR zpukz)^YU`N*-pk`E-nocdk`;6f>EwC=Po&7eK{rui|W=p4%cuCZ`ZC};C5fWd^z`i zLo$uGMO*3+NMwAMASVb3j!A!Zex*znJ9Ny~Scv5~8L!=}AyQ_*$Cf>!gf&qb{rHUk z=a9)+9KH zexJjG{pJkJhC{tgJGXA#w~-+ja;qvobm-89(mz?<8EaM zw5}mK(+ux>mq3&KqV?j;M( zr0$*=kExzf|!Uhv{7a`WrzD-o2;l_5AK`x6`VV z;qmA&HxyYBG|1Y^?Dp4|zSdmFD4B?Pi85FrHC`YQ3K%0!UE z>E0CEkd7;eY$!biUF(gN&{;5yz)42HYZ7zkhE5uo_w3#snKM!*LEQxxF-?T5E3y~e3}5}7goJr+OLaA~ z&*vd33;0Qxw{F4snHmF1=krtB!}+ep(W@z@F(~#!(O98*{1xO~(-^RM!aq()+$Lc7 zf&bYw22@WaXZ&$+qK<$4jnJ~;z;_UK+n~ex1OIHzTM|(0` zIwRK*BSB_fmP9eE(0wvc>HLHD)epkVO%Q|`buPTJI`uo@r~mD@-!SL1a-&mHT5kM! zYSCcyu7SN!&uP?ZJ%gqCkGS*_07+vG)=S`e@LWGg#>OsUjnp5zlH>+++=X%O$>QP@ zSQ>yli{yuSE7_WP4c9MSGCp)D%|Z-g(L(OX$Oz}fi-$g~C+&sl$+VY7eCZ`iu3oxy zv(K)gvQnjX(qd4{ICSW09i0?xjHyUH*1YWJVCjo*-HWvv+am3wK)R?qQW&B!bK9^h z0ps!Bk5?6r-MDcB+#?~o5KfpZ>6I(3jEojYOXrHV>@{V;VLx-`%wK-_C2|au9cU<4 zVY8)?(Qn!xH`lV=p9Vbrw^j2RhhMU)j9cpqBS6ET0Jfrd=QUv2(@O8%I}Y@T#Dc64 zDIYS{5y$0=A&#S1;*DLFF?{ggLFCoFwVXPzK_DZO;r&yG@I))c^g-c+;_=XHR4trq zJG4tg5IzkyU8aS(H9IO&zWg?w*9vcFpuc}cr<&(`f7B&JDD2oUZP3JEen1ak;$pt* zUEY-0xm4D2!~5%`ZX6UOjih6*wPwu?d_TwSpov+T9dIRh(Hi3sim z*iBs{mdG8shNv9l;pPTa9!mlYff0Nz^(mAShe|FZkz(0eknyhtrwm6N;#9^*EDHgk zOh&!Lx8HU*myBcWEb{)P+&*6YIFlwMxpXc!lX?UlNg@E9A*nN<(9vCDmP^jVssmOy zTX0Ug^4;9*dN^7$mWi;S1j9YqHjh!U2pz$_qAKNbxx6uiYq+KfA}BEMfPq2ni1Sd_ zt!PzM)fFzk^Ko5pNgxT^(+M8eId4obd<0!vj_^E5f!#P?7XY~iJiBY8O1uG@hn8~1 zLp6r;i0)3rp~6X?e%Ub!jCD+chQ67CVbb-&d;aQ`zB?6c6_XAx#|&v<()CRS*GQn| zR&@AKc7cA_6-88HtVHV0omTE*{j1wS4tEVcs&L%5ckeX?yOT8Gcpux=l$@2{6BsrL z7N3nOk;U(WV)B*~H)(izIB9s9uAp31pUs{^n(9VTpC#-HQ5>mS>o{qU#JXSDv2?q| z7nsbKr;DLo>>Lt|@VHUoU5x0-ZnVE8CV%Z0(Dvn;29eDmtq|Nu$29!ZBw&P?Lt{nx zLX>Udi%9cqcr@ClEIF8bQ6s-(^Wn_NSw`!WmR4FSLhv-@AbCcqy5Kf}8$cYr#blZeAfX^w8|>Zt z&AfSL72s@naQlK91q9qW2HzO;K_H3vO6T<+A~c<_$R>z_y6A|Ag+1Z0klz3>qoC^F zlqE*5ku^nnQ5b5|YW>wJ$7)f*S*PijE(DJ)pP-<@{^ zS!J24rl>f8kDK+mG(Qfp96t=c+%*iQ4jsbJ&#$047p}YRqsn0d|DB@gr_OCpYXAIs zd(k_{T*g9l*#*8(iA_pk1yJWMQ-IhF&db+W3>r_8%X#^-x+ociXA+fBT1reRhAB`C zzbp{SBTP-iiu-04$OV+3KAu2}$=a8BdUTQG=Ga!;#ca zpFTZ%_AF}yoYTg}muMZZtz1PDN?!|XI93~N;U_o8?NdP_cZ_xVXG? zK|DOWo5|P=^HD}8$UAVcQp7EGo*#lLrq23x>r4j_FF>amoHDBHqCSZvke9VlEBBqULQXDgMElj;(~e`6OI+D&LsW7JdmC6&Th0dHnzKG zQ7ci1j+E6@`jHko<|IiO^vNK4sj1bghhOO}3+ZnwCl#PEucjibxcR`EJ4lflCqar) z6EL7O!n4y%#yJqT2;np;@*YW>al%iZMkiGU*?j}OaM7T5=~!BWM`@{xb4a5-pI)UeX(6QA$N1uPrxsydZOmui5#SUMZCUwa}p_ry=ICpG80T^59I zIAX;XaC3ERnN!5|aR%F`y!lG)h2x|Xf=UaeUQ`Q z`$`sQ3Vb^H0GZ{aV57^?$GlEYcfps`4m#&)sHm9jAp39OLL=y~>|8;*O&%E@UP56f z-G#z>&*3?69q?bHH<_>ty;ERPgT!Pu0CF1o%H?4;K7}&$3Ooh{7EfaatuCmVE#fT=@_a`|#GSTiPY@STzXNu=|!zP(}UG?(`LL=GT=FnTGi+Ft+^S3y>BvQZT|1 zq&KD#y=Le=4Ri>G7EzGng60;`CAH&+3%!zVYMt+Z;8^DeW|Jx4*XP#L7+k}9w!1O3 zb$noB?t3vb{T4{(r*=I?1yya>grWKXm%sg2C(rB|GhQdE!K!9(PsCL_5P&iuaF1$G z?~y8ElZ;H%d`@HI5n~}~!w{3|mB6QjfA|M5p*yJ;t=<7%V&sFhG(nqZC^ z;xd2@$)021d(~SS;TRiI*u7^@6c07bz+Le<5M87fMtLvGy7(%?1p97!#vt zXd9`mHN6rV5Kxej0?1xfo(y$3wgn;WvZ2-%T7+vDNlbes0I3_(;n}DriNbyamd$4{ z$y(7sYFsi3D3A6L6`lB_k6Q_8~K~%uWQ;WF))f7B+*86~Jyrz*bRJ&8nvY zN6=_1mM6*m!wXPUN`#;Y(;2I{EQ5KJ-MMnoc%}?@Pk7_u$Of>n zPoJDwiHB(=2W{zN9b~sNDO-i=>i#PDM5?pdW|Thk9}+Ym09|s8l#aGV@r2KxJ&P2? zt=GmRE;d8Jn<;q)5 z9B8z)o&*KV)vulNtYy%?8Zb}$r=N6$iy&3;qNS-eregT!;hselUr3Nrgs~9XFw7X! zdBpScE7J)YhB7;V0p)#9E$6DNRsOIfJdr$rt>$|xBgiH*WS6yB12U(0#fNw8$QmNZ95${g!qKt#11C*i|;aeFjXZqmB+r>uiggf?3>s+@i+ zkF3VTE70MrXi7ydT$LpQm&lyJ^iDlBN{Wifu8>5OKe}Bl+PoF*| zdul$yWskn++Hum73^5Z?44lAFjIMAm;(}X=Z8b^z=MpsUBG|>fiu5QcNlAb}cam)j zj&UUocU?+I$hyWxI9sya;)V?yZSMXhWG+C{)iM;E*Dw{&q60S9rlfX+osoiY4WkEq zcbh-i!is^CnGgVREh0?J%r=r8n1>2wi-IG1ekU<##-kJxq;UD(z>SDzJYw6nZOB&KL6{^gbIp0b%w9cN zLTV`~nbeA*psc0QK_{gd#50o_U|Lc_2lT=?<}zn~LC7ElBDC{TNDnt9HV z%-md@$K5V7^OPSJ!>$1(T+qCdR(>O@FG(pF7#fN#)fsxS1+gq#yA0c^dWVqFd(ww&QHK(JWygW5`-8-WvY$e@$fCG8+7J!*!!zY^$$#{QLr z$@6(PAP$|O;NC^cJASYFeF5+3l06@X_9cY)u zm;#c)1!Xp%n#cl4g!%`af&7-YZ+*a30}23TT?ut^O0C;(Vq|oqK;*}v6hcEM9&?Ye zva@lBgRdcY?Xx0_B(l`%roosjC0rGcC?*_f$;})E*HoY?4JQzi3>@OufH7PxEG$40 z?0e@`hz|$$H8&yMY(zm*7oi`F=z$8`{dCz8+*fmVAxYh$aej&CEMqEe2`Xe>I45%P zHW5cWM&%J?*d&{1c?2%12xKN9sHVfoiFS1o8H_>rILiZg{!mk+1h?M~2JCr;h8)t& zt2PI43QfJ`x@!3p(seT&EUgNQ0Y_h5pB!TJ+}m1@v4y0Vek7~wW4WbMNjY^JL{pIgh`4`D%NEA0o!Ca{Om=Mfo$28Ur0GZA_r2LY_6{_M1v;<1~$ZX7J0Uvpo?nhki3!}h zR0b31ASG-#K1~Ei7l{Xm36M0C&Qh}Z7d$16^k7%(U(*T`FogAtEob1{IE1$GEC!5! za#jxvc1(!#z59-vUF~iYFAXoZo2qZ|^R#JGBQq|xOTAyL z&pBz9KHHJxX>oX`duM*$tvb2H`zzA#`){gpG`(-2YZ7y};BC2HN5%^`q38?2BbxF? zhKl6_3wP;j^|9r1a>i-Bo%Ec}!&eg$NV~nUXts3d7i{ZeJU1C;2p|E4sNJ53XTcPM{te)eSUFQZxu2&%k1$4H2d z6Q&^bHgP&U9J^NFmLL&ih|O;kNUc&7n(2@X?2~x#B%G_PE|=T8pCqiLd{ z9+s7LP*7ooqX0DDqW1AGqAl+yaMvscA=f=3S~sZx<6y&=ZmVCF{ajr$TotZ-H-G+v z4?Vnoax($4tJHkq>eX^943NiiihJSoMVCvre`KjW&M3RH@AKz7Sy|r~2MGh7>w3ob(LWr(n9eBkAz^(JcsHsj;zfWIuS&rPeLj8N&vn%In9U zapl+$!1SE=v17chF6`N4bPnB7^+nXw;l396NO6TB9b3XUQHRO8wjDa)(G2ZF`5|aFgy#n=b(@g;_U&6PH+8jl;Rju{I4nGDp97?% zB1WH1ad5vqF?#3DoqC%S`zfS$#T4Z3I#(;fp-!|)F!^Q{77xMx5u@R&Xit!l2s;cLSMdQ!%GHC$EwQ8XXkG-7J4<2Z5a?9HDepO=SAuFrwTp3!qb&&@A|ZKu=Vnkr0*|1k zQtl}PARtA+=W42|MMva_QINM}N7yJBhUDbc#3-1y!>mKZC`_tR3D{uh(Ty8xFbSo? zt-#vA_gUKxn<4Pykdznh9aaPi9rVdW65u>wSRwZk8U0pr6WQrlBEn`d6wzoq4~0#C z3w@k*Jo#;Pc)de3Aw%ip z4qRE}CFa7ht=kXL9tzpfE>*>mKL%bHVri>&d!qOLXnvwGp9aoz{H_flu><-bGsd6V zFn+N`YGgXKL)<4{soXky!^VvfrQh&W;eIftfG?lUqk(@}!K3MwKYi*`bJH7p!fl8| z-|lTUDihN+;jbIV{4G>H{bYDk>$!*vqg8__t0LR5S5@sPNlSD9JSm6h5JA~tQ z5@ol4_&MDL6Q$g~|H~Jn2uP3bAnDRX@VyvQ5b~7c4VFad3JuW&HN+jvOA&e?obdW_ zljP!F0SfOR8@17ZAjs)EIdhJxck`WGYD7fDfpnAn77&6MrN!;!J_)2#kHFRrHl?A5 zDW&KlFeUrFx&(E#wQ~VKYiO8Tc<7A8b$!zG{rCb>b^uid4Q{)zrvOo=6IN0k?8ZRh zK8$)!UoD!p19K32lJWZC)FIsfTt1qmd)7zqVy+hRZN*6K9fJ9cCW$DlKp_ON1>8R0 zM>>gPsF}i0*r{-__sK)>ySpjm6*Mhey5QGoFB zrv23kR1|xxaV1m&EWVjIP$XQ#FRg_4^lood04kPEn>P6>wXN_eo2S+o(wQ{WD%}rj z!%xd6=bXZfzrW?o53hTDij=#qV1Jgu1-!C-0iAJKFi(HxkUN5q8+}>%-+SQEP#rGf zUs$?a$@!ds4zC0rRZGb&T88ZIS*p2!mF&8@s3!%KeH9Ii^ZRYL`@VGd^b}aKo;6H> zYvS9(sgg>3G0@ldTV8=%m>M;2?p)KpPE13cipf26IIu+XiE1hFz$YG5W1Hz=XW8EgO-IOG-rxqYv@O&r=hH{{ANqM|iMAuos_$Dft&snY zAHPS7n>KyA?pXMIsjZO+lI-v5-EZ``w6F4lWgl%Y%hz0v*7TOlDFOt56()VC^|>O_ zuV8FCScsU!M1AR_it%Wvm{m)YLCENd?owE;=5>8D*&LwTk7~!c#-{AHyz2BB{{}ta z;(+R2Dbl+8L@tgG4+wgZ5aI>@PiyBNSM%Nf|LeM37qeLzh51p8h|n_1uT#tku_O}9 zkH)Mhh{xDQnB-_2K-}T`$~WR#3I?b;zZLY}wT<_Z^2`)7kHTc1RtP zzqYc#>xft^?GR`;upwD64Ev-+vYg*S|) z2t!JBn?Dw)#S2FLj}%&;Pd?eWIsh#HGucW8VRP-6;lpS7OAy1w$?)b#JFy9AH^+!e z&5rRtPS5=m;WT2z>Fdyd43sd9_4rhyo3>$XOxp5u^ExxzY z067kd9(^=~q*bF4sGB3d%!trI*LinXfJ?xoR-+jfo+2%p)D`{)(62d3yXj~)JqVu6 zJACGO_^Eq7B?pl|7C8)zs(4^e7XZ?(``!DT@zUc1L$*MI?aKV5S@r5x=;oq`c7Xag zio|)_A1BKpS1nHt9Xj-B-NngI&=jRzyJkX}waaFB#dMM-0_6Z{=o)A*hjksj35>Xk z{Dkt+*;^~#=hL4*KlHpVUi8)QFaxTQR`%u{?X$(-UqeGvO?u3muf6trp%HytT`byG zzWfsq6fHONMmtSbPqrM&0MIx4-g)g-O+$nEx3QGx0|`n19SHaxDQg`W>iu3#a_@*Y(;uY3!pc^pCG~WPSAMsm6c>m~ z%RqDUx|IQzF|Yd<{gAgjyz<4GSi0YgM|?IXHe9B=;0F!}NpWO&EX*ilcyn1e7=MM# z!0nb~dPuJiERFmQl+@dJ;e*rfjH_W#iPNKl@rqjd;fHmf`bLyi{Of|=@@L+7P_HCg zq!EYzs$Kid_V%vfVIsprz*n|L+B~SY3jtY(XyZCaC=~yAOK4DrE_k=*-o#zZhX*S` zc7=*l+d-6Pn&WTa;`@k_x@?+kS9bNWJd7ATRj-~sd86tQYe^ZZefsH0#0zm93<-IL z-lU&ZlYp9+;UuCTn@C!kzi3g>^6>C*(~v=j_oghQopR~*VcxxoL5Y(etc{6|{z1ES z$L;-9*}k**mPWurz|D368o66eWAD~ zqn3LaIc(C}hk!ZKF6EW-!m4<;ck=F)g&3xOd!I>&VQc@;YZ><8r4>6jex#^-$Yc>; z048{~DE9dAs=@PVaL-K`Oi|62g%RVR+5{2iFOQ3hlWOtW6Q78{CPI1r`YMeK0l-en zw;Z@(jGmqj3I9S>EV{Htc){T!_$BZ58VutCW#KY;kt5%-dz2!xYNNwDUAu;l8|R0jxW@&q<`HqCiMLmq4szHsH08yV zz?4vv5K!JTMd6$5hwPuy5gUv8{MBHCu>n;PlOSjzl=_tv6jW`UdZ5qSm9X0V%1cYT zV4y<7P&;{;g02Lu2zdYfFCrt0XZ^80zlISiOvl8sH>r5}V3oQV?dPi?ynV{Bp@$nIixEH z$yvHUmX0)p)L*HcFv9Y|(qq({wgUnt7N-dK{yK|_ovG1eE8DVYxD>&N2hT_2729paQ!tDfuDirVDQIv(`-Y>gin#({X zM821LJ(t4)dSVD^Y??;kTi)9Ej*7N@{l_dat0r*(YXchL6!`qMic~+ix5;NMea4M6 ztEj6x9UVP$YuhE&x@{Wm-+q@)UnkqQ?~qCVy2j7Y_{Qn;EmM)FNIR23(B`a8roT67 z@jq4RWP2lgX8-*EkJ0+Sk7LdH_2FyIt!-^#m4wnQU%K>r3j#Am7;)0VzSX!^1*w#+ z?>Q=gAb{D0A_^v{>*$&vL?*cZdzfb?gbA05iVwD^xHx=}-TQXgSFYrv^SXsXmMATa zMtL;`)JC|+2jaig2!ndg?5n5g;+(stfgLCeCr_S4eo4fSEs;G|hGcnHqP2X^oE!!w zY+`Fuz03n9y35Z*MTr5@VGakByrw5UB3eV;(q8fIKo#>$^o-q$BAkW~|A>wy>}T59 ziVAH`NH{?$0A%54STNfBbGF4AX2Jo7;*C*Tc28YBc>dkKR>I?Lg-mSQ+b+PY3In=< z;#pVFGP=t>;nh-O2-})7EP^l}b2SQBABE0l+&HNgLGOm73s@=3YwBnr%s)=`a_;#R_p0g4j&03LWDZLH<^2tCQx=qCsSt@DO`|f=jQosd9 z*U{22crjg=ZJ4D*Hrcg@M`(6X#*13X@!MA+@PP|=l&-ZtFz5rx%$e!^K6|IG(eXgX z#-3Yy@pb_`(dAe(KDv1C{QR$W0$F;sX!-?FhR{lpP%Nx? z24)Q4=neI99969atL9n!TMOU@Pr+?e*q*|pJ90$rA=>#?Hvmhn#C2bG(c({dz(6mF z(}NHmw-}B6AadefMjxhyaYq>n$Vsw*#-|fl5QyTXbPI{;=a3at`V7z##e^^KqNRyo z^Ry|vVcFSh2(6LK9A*+yl%oWQHuEN3WEVMGB^x?7+ehhEC57Yc5Lu+zl0~9$aNEbbf zrU>?&7?<8!!^O8_;vO8@O@OpO^E~2H)uwyk6Wts(?TK zSpn~&UY?7o%r;E09o(uu(ZO?_oex$b{cJ9XHADn;D2YFf%#JTEDndlz72-H_3sv&$ z#&4R>|6`WX@dd()?DB7M|D%ty24I!?OO^n?#C1R>%~1zf=jYaPPA2y+r#Z>bIdXn> zn5|fv@QP-Gw70?pqG@UH!!Sn&IqoPOykoGQ*F1;L&rH*a>{o4rJIj38vz^o7$!}Af zRXUM(=x(5Sa=*UeGRjU`S^U%-ldvX~q_Bt{xpMMx1)aFy^*(*@u{+!kvhr#~yBr@m zD?(}7CL8F9WU_?p{LEDo-Gl4yk>q!A*N$sxX_~TV zFAb?nd<`f)?B>{cPFFEHY2Jh1xGjqoI}mVxL=ls$Gfq1zZ zLquqjVfmW9R#@*O%GL^-BOR>&YHOCEOV9%?zuM`yg1W_0dBsfi&;OZeqA!DtCSgIDcy0ud6cjEpR^|xQV zJ2i}f*DoubN){&rjqQ^0#8f&v*H9g z#jr~7re2G7fIgRuaMIsd(Eq34t+od`#(L}O{vbTsyYfOWM7 zd31f$tu1MX?uTHMK3Feel&qDlH4|)X`cG-WVDkgRLoV?sBis$t-xpM7ok^mo>=|+t z!}g%Gs>f*4JY;K*44t-}7p`9O<{NJu3J+g?ScqAu;OaxnkRl4D@xrC3Vy0N#O6Ycl zkI;*b$ys10OltL4huSfDg zQb!$e0;$uc`(2w6eV}9AIGz6ENvAj2N1e5Q2967^p_rny4yLn@9-ZzZoi`6@zUeor zwu+y7&N`0h0cpPCmS|#HTb`l?!Z3F>Ik-DuZCaXt=7^q4la$}D{s$kuSL9 z*Vp%gwSfog6}7_Kn{4q)j01cnin%Uk#_ox*SbnJqHv%4BbJfV42i{#ji9(XQeiEt7 z3gc~1!}HpH>HC69Tr~|75`1yeaUL0+7k58U5g*cGi3gR-qFhGM8{D!~+kp-PJK;h} zFi5sIzAyIj`}hzr!g%(6R#!LH)|R%IaO3C&Vqrk?F9R}~ZVn;3W7#`=N8C~;dDv!V z=T;bz_koA<)*soLavj+O$hpqMp{}A+OgNQ*tA1C{jsPaJu~}%B4w*x3ju0`9O*I+Y zv(VkBb7RG=O4F5f$~R_j4FiW~xhcKgTN7|rr!uS6cfL1i5*TG+OF6i5e#kx#k3z&! z#ko=4Sn%&&DSTRrQy3jg6=_FC%sCLMOCbp-N&5(TYGS&n>S*;o_@0Eb^*q~?x86ZcT%G_NB>@V3QgSv zx2<($=qLv-&W%BEZSm8S6b@EcC8C_o3XxCro3nl%Y%TVOnfNii@@zTksW&xk6g46H zs&7Kv8mFgd==h_kJ(Q=E-bcdS-gwo@`tn3RI+k|+dbd4e>%4ilRt98Qg?VF*+q0(w z35Z7}me1htt;n@^_HM6CfR=HcY`jgS4a{ zBs0<4=d#Nj%J$5GqzViakkFt&wsE*i^1DX5uJQErnRFUqPQuu-QVnWeGxZKiJV;d4 zP(RAgF@uYbPYpAl*?ws3r*I~n0qGS7z*bKDN`+;5M`tsB(xfF;B8iSPkEO}yQd5_C zbn*ey>?;~;O3|{Cc%`k5yh$jI$h*+l*NO-Mav(02AEpbBR~W?8Ca?wBot*(?Hn(oQ z=v-ezjF?=@RUfBoe_B$Imv^@D-PY&N`>IpOeL)q?I8&@+c{9~0k$mFx_YaebK+rDMMz;AfwWAXG{JhG-F>r;)VNuMJ6^g#qZVMN} zt^XT1&e+SD>$7Xe1n=xeiyexw;EYKS0{Q{f-N11$oa$14xtWuF5Z1LP_jv@C{B~b#C3>xcIJ!vQ=WTP!ZGXK(i$=a2mZFR=T*{Mmlk>ESG|H3R`vu z-*S;hu2>$yB^!hG#}>_=#K>hoI)RiL37{!MZTQQLK*lc)nfPRuTBwm(yT1b9F*7~UnhX&w-cPiYf_{gJ!;hR-W8SyS?N+?`H(zO zMJ!Ebu~#nTJ7JfTDD57iN4#1D9Wp!tH_XW>T}V&+%&rHPe+*?L2^l+bES{VyNZ^6@;$)&`>Z zW<0$A>#xrVR}k%+a51Y}gqiJF5uruxcfAcumhKRl1DPTSfA^zpA?u!F;Y4zxK28e; z(oa$+ja^=8EO)>Mv5u?lI+O;DQX07l7Y@i9xTak;b7Z>=*5WwRgC;yQbUvcb-mLNx zTT-|Qm}Wh?53Ss=S9^!kix%Ky2R5@mRtyWtrJjRS z-vm&4%rIt?{Yo-JW?Rgq$E*S4Q&;iF+l(`C%jN3`>|~umeBJYstbJ(+oDsjR<9&4M z_P@zVmxAOxGx5@fewZ=E`!s&QLZjP!ZmX~S@1n4~`s_3iFF0ylBFD+izso*qGg)5s z;+Pz24gks3Xpe-2e zZqsw@Xlv`x{yodVZ>9(9)3?>T8$aFS?BjFZ+7ZK?&it`zp!eiOax?k-&N9)qOjvo- z(KzGJJBO57c$u?5I>njWcq)3qK`v}Th$AlP;fE+zX{~N#tX{{9qk6nL^HU6EiZMpU z3+Jxl2C^i*TAWz>MCl;aKdcEuW*0zuVT+TtaH%Ll$FL!ec8mF8ke=QgM{U9wkU3at zI;^}Jw0#XZRxdhpxXTo!NsOD)(I5VLulqdpAxxhSg|J zLoVZhdsjCMO48Y$?pJl+zPn{<{vwL-kjWMSpsZQCbmWVxj~l){cI-+(xuZ%i$W}dE z*Tmh|c4<8GWXM4S6gp(rQY}J%uLx0cy-Y)duSJ58GJou<2&XY)=0zwm6h)NtwK!yl z2#N^KGxMKxnzWG2oZD`l#oy7txd)cy|kOQu``&;JLa%IL}o{+ilZNx2PGj3 z6cdV^f2sYJ2_5N)>=|jMs)bQw!<_cDJ>^Zkg{D8H#G?|Flt}>FSziiPKa_?dBn&G- z=ZhDbsgF#CP95&Wj& zf{C{<-E)%O)=fMKUm=Tz8n1QwX}HF5>L<3^=^w6 zeO)9&3bIadF{s;?hL(839q%Pe-nk=e<9C!IP{F`(@Kdn^Qi`8aPAVs zIuRsN-JBXSM_@dAIF@(3y}as+l3Rs-TFWLV4}S?@3fb!2OqQ-VY2}zZ48eSVaqp3V z0Gzi@_4*vG_vC-H%|_Wtti<~LLlT^Le||qBr%NV0%Q!`OuR9Lp z)kv#ufeu>N-Q#um^|;yWJX}N`_qMRkmRO@6|3Shn#?r9*a+cWO_>fv5joU!%$(f=| zY_J>k$U3N6PfJGLF#=CcSe3q568sD4EXg6 zW1jGnY!b;TjA4hK4TLfmdMg9AEU^+!BEaMbBf~7R)liw98bZz%c}iWtH;L`WJ2~&0 zkp*>vkf=dmk1lmqkfxax2ZosK=e!LQ-J2dC5CPHkO(YKpC6aN(&HvB_IJ;FR4xch* znTH&v!dlL$wKh_&{|gR&d6LY{(Pi(9vd=QMwYN zj^)PSS!iUw4|hx`>rUMfNNb+9xiz9I?9#_>T=n#Nr*xXCcJIfG=JClEd9`7QeVtez zkUcy&XYnZY&U zlDz7KNhYj`-aO)(wT+GD>lx2bj<6ELT~AFEk-XXt3Orlmw1T|=E{yu;Mu z$Y8`2#agV3H&`4Ksw1VQnGVHj%otRO2{#TsGdq5JCpk!z8MjmKjzB-u zckg*svdBwpEgdA*M?EW7dP~H{9A}kSDYmmW47;GMl4D3qn+e)lA0oUVW3oO3*M0qs zH_Z2odFS};$vg?yCh)V(8#lhC2D#+x!XWgKroDRgN*qImsk!-ktWrdiOVaE(A*dNt zdE@Gg=!tJir>q!1zaDof$w+YH4#b@{34vJtW=+jg7F=w z7TP6u1HJQLKRK|{Wn3NJPNFB&;?fUohD%FtTp1Sg??D*n$;~f+48|B zzm9n*PNT9XiOz>a;qAT~^K*BtiU@8EFt!CC^&1-WWFXgr2)f|y{lG@2I_Gj++Qd7g zCy}JEO0CQaata;Np!#XC7F&XHFV>U8OLOr!NSnA*p0b`Gz0nZK`ykbyt%q-G_1y9WK?kwupff)= z=sNKO0)vt4C2m?Q!_W(n&aTUeo=N>w2);kvwdH(=$vq(2LM8kSzWXOO!V1mXqbweu6f{eP3dO%@>NbZ}I zhFUMfQc6)KM>*apF3Q;~IjYqs;#n+m1b9Hkodioy41he^iL3Ttg{j-C2#(=g?Ul)V z)~|1E*>&arox5gUsX1?c0q>5v#n-$04#e3e?IdZ{xwD%bWBQSHQekgBRGFS)vmRhY zd|9_CT$Jm`8Q6mRC$*nkxut|ygY)aA&p-{z+nRI_5=osg4MVS?+S?FMK_9N2&u(M? z29eC}tQ}9I{*|R@7S6Uk1YVG8A#4vdb8Ea{a@d*dPg~KsPWI*!{mB+doyHybN?2eK^^ljM+x(16=we_iR$UI&H!Y5KSc;B1#Q*d5WX$D;jc!5$4=!` zPz&*8p&lyTa#}w`Y$X5R=5}-!?3ZokmfH_qH6r09eUEWIP=s|bm~LDL1um>oRAkgw z;n+^VNuxeEPqQ{;RCaoL2TG1OE8q3&XEKMJY0JS!O*7K|+}IJ0rEuiX8hrIZ zxa+i9U&P(GSnC}!@A*6g_LmvJ{qkhx_)PP3&YNw^8d2pi`)swy*7n4Ot9OLEJuACD!SICMPfg$1Y_A zj{jWI^N^}?@O<)-q+QGrZ&jmg`^s9*ue6rWp8dHsR>M1=Wn|ZnEH($7B_m>Md3OL{ zz3R8Rh;KKd3HG+bJiB;cqL7y(#C(nvc$|&Rn@f!N<@=KffuAr2tG@%?@iGWi%h=JPtJe8wE0h*V`tZ=ch*GxILPUw7|=wY z!`vE8KRl>ht=5v#H`q5zY3ypmVDz1ZU|HG0tJRW}0*1d@5-hCe2JW%`BGp6|xOQ!Y zfR7q$yfSuf{Iu$wbA$i#mmc$7q_aK5WhFMhbW)=?OgcS!QM6)gFf$B&R=rl(HE;w- z95K69Zy(zeSt!4(BSUj(2uhF2*id^ns5p=WnO;cQ1}1V(5nhQ-Ss2X^!Y^I=;fL$g zbn+Xzk#2bZ6KBr&*+(s_WG9T3#1hjaii zS&5H{JPLTeOC8;Uc~X^BmE3qYFCR$WMmjtCoUgSFB4G`9!4k@=T3f(ad%>)qHMay zjP1T$o^e`&XAU**llke--u6ok3)?pR+vsnchC4b2v#GYeYrK%7xCuE5hLh?A?h+Ws z9h#^hpsp=hPUtc!ev$jW)DK6*#4PIn7guiQ4PRuUdV2(Nlx)GiV~;aETWw!mm;di8 z2z3cCN8Td??9ixsBZ@4-ap@^acV^LHc@-ySI+3`>mrj?$niZTpZ$@_+$*c0aCo;FR zkI5(}%RA}CysId0e1TQfey&8E9dx1thG@buE$$jUSM~Ji(+L2~`Q;anN>fWm$OJ~n z0W{pf?|qG=pZ0g&djy@pF-CV!kMH%of6wq!53xj}$IWT_(yq0BeP0@^zL?7e{GH`A zKR@E__|F3`XQ=FO0_F1B literal 0 HcmV?d00001 diff --git a/content/DONATE.md b/content/DONATE.md index b8819179..53549729 100644 --- a/content/DONATE.md +++ b/content/DONATE.md @@ -14,24 +14,24 @@ There are multiple options available for donation: ## Bitcoin - + `bc1qj4nxpfhsgj3f7w8c2689kq865apfla2jyxgaem` ## Monero - + `43fry9taGiwhAtNYEZNfssdzJ8Ra12ewAbQoVsvFzoLS6qMSgsE2FvE7xY52rAnKjPL5r2N88KYvqXpthUfSwa23K1BBMD9` ## Litecoin - + `ltc1q65hpetza8stgje640pcn25mef6xpdzxqazcawq` ## Ethereum - + `0x10289B51aEF109BBc07F68341F2Df8Ef60a5b618` diff --git a/content/REPORTING.md b/content/REPORTING.md index b46b0449..14277275 100644 --- a/content/REPORTING.md +++ b/content/REPORTING.md @@ -1,7 +1,7 @@ --- title: "Security policy | secureblue" description: "Project security policy" -permalink: /security +permalink: /reporting --- # Security Policy From 6788de4503ad92d26fbccaf566236b8c7024e8e7 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:25:23 -0800 Subject: [PATCH 05/35] fix --- content/DONATE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/DONATE.md b/content/DONATE.md index 53549729..844e205e 100644 --- a/content/DONATE.md +++ b/content/DONATE.md @@ -26,7 +26,7 @@ There are multiple options available for donation: ## Litecoin - + `ltc1q65hpetza8stgje640pcn25mef6xpdzxqazcawq` From 9ffe980faa3dd44a16a072025a910d3a1964bce6 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:28:31 -0800 Subject: [PATCH 06/35] fix notifs --- content/IMAGES.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/content/IMAGES.md b/content/IMAGES.md index 09606675..0a46f254 100644 --- a/content/IMAGES.md +++ b/content/IMAGES.md @@ -14,9 +14,9 @@ Table of Contents - - [Experimental](#experimental) - [Server](#server) -*`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau.* +{% include alert.html type='note' content='`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau. -*`nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.* +`nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.'} ## Desktop @@ -24,7 +24,9 @@ Table of Contents #### Silverblue -{% include alert.html type='note' content='This is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %} +{% include alert.html type='note' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has plans to fix this.
    GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers. + +This is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %} | Name | Base | NVIDIA Support | |-------------------------------------------|-----------|-------------------------| @@ -32,7 +34,6 @@ Table of Contents | `silverblue-nvidia-hardened` | Silverblue| Yes, closed drivers | | `silverblue-nvidia-open-hardened` | Silverblue| Yes, open drivers | -{% include alert.html type='caution' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has plans to fix this.
    GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers.' %} ### Stable From c96d69a02a063683c79512908b9be82bf2c84242 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:33:58 -0800 Subject: [PATCH 07/35] fix build --- content/IMAGES.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/content/IMAGES.md b/content/IMAGES.md index 0a46f254..c96806e1 100644 --- a/content/IMAGES.md +++ b/content/IMAGES.md @@ -14,9 +14,7 @@ Table of Contents - - [Experimental](#experimental) - [Server](#server) -{% include alert.html type='note' content='`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau. - -`nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.'} +{% include alert.html type='note' content='`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau. `nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.'} ## Desktop @@ -24,9 +22,7 @@ Table of Contents #### Silverblue -{% include alert.html type='note' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has plans to fix this.
    GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers. - -This is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %} +{% include alert.html type='note' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has plans to fix this.
    GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers. The recommendation of GNOME is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %} | Name | Base | NVIDIA Support | |-------------------------------------------|-----------|-------------------------| From 90dc4f60f0cfe02e3c5fbadd9899e45b8d90f4e4 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:36:51 -0800 Subject: [PATCH 08/35] fix syntax --- content/IMAGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/IMAGES.md b/content/IMAGES.md index c96806e1..7cf59c53 100644 --- a/content/IMAGES.md +++ b/content/IMAGES.md @@ -14,7 +14,7 @@ Table of Contents - - [Experimental](#experimental) - [Server](#server) -{% include alert.html type='note' content='`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau. `nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.'} +{% include alert.html type='note' content='`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau. `nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.' %} ## Desktop From 57a5a00ea05802cdf6500a4a378689a8b074bf6e Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:39:47 -0800 Subject: [PATCH 09/35] more fixes --- content/IMAGES.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/IMAGES.md b/content/IMAGES.md index 7cf59c53..35723e8e 100644 --- a/content/IMAGES.md +++ b/content/IMAGES.md @@ -14,15 +14,15 @@ Table of Contents - - [Experimental](#experimental) - [Server](#server) -{% include alert.html type='note' content='`nvidia-open` images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new [open kernel modules](https://github.com/NVIDIA/open-gpu-kernel-modules) from NVIDIA, not Nouveau. `nvidia` images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.' %} +{% include alert.html type='note' content='nvidia-open images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new open kernel modules from NVIDIA, not Nouveau. nvidia images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.' %} ## Desktop ### Recommended -#### Silverblue +{% include alert.html type='note' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has plans to fix this.GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers. The recommendation of GNOME is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %} -{% include alert.html type='note' content='Silverblue utilizes GNOME, which is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It\'s primarily for this reason that GNOME images are recommended. KDE has plans to fix this.
    GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers. The recommendation of GNOME is a relative recommendation between the desktop environments available on secureblue. GNOME has some extra security niceties like the ones listed below. It however does not solve any of the fundamental issues with desktop linux security.' %} +#### Silverblue | Name | Base | NVIDIA Support | |-------------------------------------------|-----------|-------------------------| From 01b3b1e4741029f87f2e3412255dba89b8182c12 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:42:14 -0800 Subject: [PATCH 10/35] fix typo --- content/IMAGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/IMAGES.md b/content/IMAGES.md index 35723e8e..35deb6c0 100644 --- a/content/IMAGES.md +++ b/content/IMAGES.md @@ -14,7 +14,7 @@ Table of Contents - - [Experimental](#experimental) - [Server](#server) -{% include alert.html type='note' content='nvidia-open images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new open kernel modules from NVIDIA, not Nouveau. nvidia images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.' %} +{% include alert.html type='note' content='nvidia-open images are recommended for systems with NVIDIA GPUs Turing or newer. These include the new open kernel modules from NVIDIA, not Nouveau. nvidia images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.' %} ## Desktop From 0da05f3d5f376603aa309db83f925b71a7ff5866 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:44:30 -0800 Subject: [PATCH 11/35] rearrange --- _includes/header.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_includes/header.html b/_includes/header.html index ccd836b6..db3cf3c4 100644 --- a/_includes/header.html +++ b/_includes/header.html @@ -4,11 +4,11 @@
  • secureblue
  • Features
  • Install
    • -
  • FAQ
  • Images
    • -
  • Articles
    • +
  • FAQ
  • Contributing
  • Code of Conduct
    • +
  • Articles
  • Reporting
  • Donate
    • From aa39d0b2e74fe8e8e426087152ea504d43f715b5 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:47:58 -0800 Subject: [PATCH 12/35] update article link --- content/FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/FAQ.md b/content/FAQ.md index 4f84e2e4..763e0ea6 100644 --- a/content/FAQ.md +++ b/content/FAQ.md @@ -37,7 +37,7 @@ Table of contents: #### Why is Flatpak included? Should I use Flatpak? {: #flatpak} -[https://github.com/secureblue/secureblue/issues/125#issuecomment-1859610560](https://github.com/secureblue/secureblue/issues/125#issuecomment-1859610560) +Consult our Flatpak article. #### Should I use Electron apps? Why don't they work well with hardened_malloc? {: #electron} From 63b45a930d1fea8258a8fe172b092c394bd34659 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:50:44 -0800 Subject: [PATCH 13/35] formatting --- _includes/hero.html | 2 +- content/INDEX.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/_includes/hero.html b/_includes/hero.html index 080f76e2..009eea38 100644 --- a/_includes/hero.html +++ b/_includes/hero.html @@ -1,4 +1,4 @@ -
    +

    secureblue

    diff --git a/content/INDEX.md b/content/INDEX.md index 6d5287ef..f3cc2595 100644 --- a/content/INDEX.md +++ b/content/INDEX.md @@ -4,14 +4,14 @@ description: "Hardened operating system images based on Fedora Atomic Desktop an permalink: / --- -# About +## About secureblue is a security-focused desktop and server linux operating system, developed as an open-source project. It is shipped as a set of [OCI](https://en.wikipedia.org/wiki/Open_Container_Initiative) container images, which are generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with SELinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a secure desktop system. However, the security posture of desktop linux is broadly and significantly lacking. The goal of secureblue is to build a maximally secure linux operating system by proactively increasing defenses against the exploitation of both known and unknown vulnerabilities while avoiding sacrificing usability for most use cases where possible. For more details, see the features list. -# Who is secureblue for? +## Who is secureblue for? secureblue is for those whose first priority is using linux, and second priority is security. secureblue does not claim to be the most secure option available. We are limited in that regard by the current state of desktop linux standardization, tooling, and upstream security development. What we aim for instead is to be the most secure option for those who already intend to use linux. As such, if security is your first priority, secureblue may not the best option for you. -# Support and community +## Support and community Opening [GitHub issues](https://github.com/secureblue/secureblue) for support is preferred, but [Discord](https://discord.gg/qMTv5cKfbF) is available as well and it counts with a broader community of secureblue users. \ No newline at end of file From 415e259de237b8c3505939df93c8cdc2d6655a58 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:52:56 -0800 Subject: [PATCH 14/35] more fixes --- assets/main.css | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/assets/main.css b/assets/main.css index 6402a7b4..45117ac0 100644 --- a/assets/main.css +++ b/assets/main.css @@ -7,7 +7,7 @@ body { flex-direction: column; min-height: 100vh; min-height: -webkit-fill-available; /* replace with stretch when standardized */ - font-family: Roboto, sans-serif; + font-family: Cantarell, sans-serif; line-height: 1.5; letter-spacing: 0.009375rem; background-color: #f6fafe; @@ -296,6 +296,12 @@ main.normalize { align-items: center; flex-flow: row nowrap; justify-content: space-between; + max-width: 832px; + margin: auto; + padding-top: 3.5rem; + padding-bottom: 1rem; + padding-left: 1rem; + padding-right: 1rem; } .hero h1 { From 8dc1d7382d85317de58197edf3d4a3f492c8e585 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 20:55:04 -0800 Subject: [PATCH 15/35] switch font back --- assets/main.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/main.css b/assets/main.css index 45117ac0..699abfbe 100644 --- a/assets/main.css +++ b/assets/main.css @@ -7,7 +7,7 @@ body { flex-direction: column; min-height: 100vh; min-height: -webkit-fill-available; /* replace with stretch when standardized */ - font-family: Cantarell, sans-serif; + font-family: Roboto, sans-serif; line-height: 1.5; letter-spacing: 0.009375rem; background-color: #f6fafe; From a6d6672b3515e9a35d8771550ba592acee0af13a Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:06:19 -0800 Subject: [PATCH 16/35] Update INSTALL.md --- content/INSTALL.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/INSTALL.md b/content/INSTALL.md index e48d29cc..f73af234 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -4,9 +4,7 @@ description: "Steps to install secureblue" permalink: /install --- -To install secureblue, you will use a Fedora Atomic (or CoreOS, for securecore) ISO to install Fedora Atomic, then rebase to a secureblue image using the installer. Unless specified otherwise, secureblue is used to refer to both the secureblue set of images and the securecore set of images, for the sake of brevity. The install script presented in a later step lets you choose between them. - -Following the recommended method, you *must not* rebase from a Fedora Atomic Desktop install to securecore, or from a Fedora CoreOS install to secureblue, or from secureblue to securecore or vice-versa. +To install secureblue, you will use a Fedora Atomic (or CoreOS, for securecore) ISO to install Fedora Atomic, then rebase to a secureblue image using the installer. Unless specified otherwise, secureblue is used to refer to both the secureblue set of images and the securecore set of images, for the sake of brevity. The install script presented in a later step lets you choose between them. You *must* start from a Fedora Atomic ISO for secureblue desktop images, and *must* start from a Fedora CoreOS ISO for securecore images. Table of Contents - [Pre-install](#pre-install) From a5e447a9f43c323f10e243251b4dbd6039fbb41b Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:07:03 -0800 Subject: [PATCH 17/35] Update REPORTING.md --- content/REPORTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/REPORTING.md b/content/REPORTING.md index 14277275..a5729224 100644 --- a/content/REPORTING.md +++ b/content/REPORTING.md @@ -1,5 +1,5 @@ --- -title: "Security policy | secureblue" +title: "Reporting | secureblue" description: "Project security policy" permalink: /reporting --- From 29465538d1112521559736d0b624cfea9b973feb Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:07:21 -0800 Subject: [PATCH 18/35] Update INSTALL.md --- content/INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/INSTALL.md b/content/INSTALL.md index f73af234..0b215a58 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -1,5 +1,5 @@ --- -title: "Install secureblue" +title: "Install | secureblue" description: "Steps to install secureblue" permalink: /install --- From 8ada97b76eb2fc953283a23e00b7a844a7fca34c Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:07:32 -0800 Subject: [PATCH 19/35] Update FEATURES.md --- content/FEATURES.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/FEATURES.md b/content/FEATURES.md index 6dd35997..8d16ef62 100644 --- a/content/FEATURES.md +++ b/content/FEATURES.md @@ -1,5 +1,5 @@ --- -title: "secureblue features" +title: "Features | secureblue" description: "List of secureblue features" permalink: /features --- @@ -45,4 +45,4 @@ permalink: /features - Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives - Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives - Toggles for controlling access to (unprivileged user namespaces)[/articles/userns] via SELinux -- Toggles for a variety of the hardening set by default, for user convenience (`ujust --choose`) \ No newline at end of file +- Toggles for a variety of the hardening set by default, for user convenience (`ujust --choose`) From f0f176e54e359de195c635a36245654f92e7b339 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:07:42 -0800 Subject: [PATCH 20/35] Update DONATE.md --- content/DONATE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/DONATE.md b/content/DONATE.md index 844e205e..fcbe235d 100644 --- a/content/DONATE.md +++ b/content/DONATE.md @@ -1,5 +1,5 @@ --- -title: "Donate to secureblue" +title: "Donate | secureblue" description: "Donation options for secureblue" permalink: /donate --- From 50fb0a88365ed82fbd46f08a44134d88096940f4 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:09:14 -0800 Subject: [PATCH 21/35] Update INDEX.md --- content/INDEX.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/INDEX.md b/content/INDEX.md index f3cc2595..6970c8a3 100644 --- a/content/INDEX.md +++ b/content/INDEX.md @@ -14,4 +14,4 @@ secureblue is for those whose first priority is using linux, and second priority ## Support and community -Opening [GitHub issues](https://github.com/secureblue/secureblue) for support is preferred, but [Discord](https://discord.gg/qMTv5cKfbF) is available as well and it counts with a broader community of secureblue users. \ No newline at end of file +Both [GitHub issues](https://github.com/secureblue/secureblue) and [Discord](https://discord.gg/qMTv5cKfbF) are available for support from the secureblue community. From ff6d90311e5d7e85eac1b019408a28ac854c34dc Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:11:11 -0800 Subject: [PATCH 22/35] Update INDEX.md --- content/INDEX.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/INDEX.md b/content/INDEX.md index 6970c8a3..e185fdf1 100644 --- a/content/INDEX.md +++ b/content/INDEX.md @@ -6,7 +6,7 @@ permalink: / ## About -secureblue is a security-focused desktop and server linux operating system, developed as an open-source project. It is shipped as a set of [OCI](https://en.wikipedia.org/wiki/Open_Container_Initiative) container images, which are generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with SELinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a secure desktop system. However, the security posture of desktop linux is broadly and significantly lacking. The goal of secureblue is to build a maximally secure linux operating system by proactively increasing defenses against the exploitation of both known and unknown vulnerabilities while avoiding sacrificing usability for most use cases where possible. For more details, see the features list. +secureblue is a security-focused desktop and server linux operating system, developed as an open-source project. It is shipped as a set of [OCI](https://en.wikipedia.org/wiki/Open_Container_Initiative) bootable container images, which are generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with SELinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a secure desktop system. However, the security posture of desktop linux is broadly and significantly lacking. The goal of secureblue is to build a maximally secure linux operating system by proactively increasing defenses against the exploitation of both known and unknown vulnerabilities while avoiding sacrificing usability for most use cases where possible. For more details, see the features list. ## Who is secureblue for? From 2fd7ed77436c929cc500e56070bf82973e2fb68d Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 13:36:07 -0800 Subject: [PATCH 23/35] comments --- _includes/hero.html | 2 +- content/CONTRIBUTING.md | 11 +------- content/FEATURES.md | 2 +- content/INSTALL.md | 52 ++++++++++++++++++------------------- content/articles/FLATPAK.md | 2 +- 5 files changed, 29 insertions(+), 40 deletions(-) diff --git a/_includes/hero.html b/_includes/hero.html index 009eea38..417b3b55 100644 --- a/_includes/hero.html +++ b/_includes/hero.html @@ -1,4 +1,4 @@ -
    +

    secureblue

    diff --git a/content/CONTRIBUTING.md b/content/CONTRIBUTING.md index 95f02faf..48c14fb6 100644 --- a/content/CONTRIBUTING.md +++ b/content/CONTRIBUTING.md @@ -4,14 +4,6 @@ description: "How to contribute to secureblue" permalink: /contributing --- -# Welcome to secureblue - -Thanks for taking the time to look into helping out! -All contributions are appreciated! -Please refer to our [Code of Conduct](/code-of-conduct) while you're at it! - -Feel free to report issues as you find them! - # Contributing All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. @@ -36,8 +28,7 @@ All types of contributions are encouraged and valued. See the [Table of Contents ## Code of Conduct -This project and everyone participating in it is governed by the -CONTRIBUTING.md Code of Conduct. +This project and everyone participating in it is governed by the [Code of Conduct](/code-of-conduct). By participating, you are expected to uphold this code. Please report unacceptable behavior to secureblueadmin@proton.me diff --git a/content/FEATURES.md b/content/FEATURES.md index 8d16ef62..1994f4f9 100644 --- a/content/FEATURES.md +++ b/content/FEATURES.md @@ -44,5 +44,5 @@ permalink: /features - Installing bubblejail for additional sandboxing tooling - Tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives - Tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives -- Toggles for controlling access to (unprivileged user namespaces)[/articles/userns] via SELinux +- Toggles for controlling access to [unprivileged user namespaces](/articles/userns) via SELinux - Toggles for a variety of the hardening set by default, for user convenience (`ujust --choose`) diff --git a/content/INSTALL.md b/content/INSTALL.md index 0b215a58..08887d2a 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -4,6 +4,8 @@ description: "Steps to install secureblue" permalink: /install --- +# Install + To install secureblue, you will use a Fedora Atomic (or CoreOS, for securecore) ISO to install Fedora Atomic, then rebase to a secureblue image using the installer. Unless specified otherwise, secureblue is used to refer to both the secureblue set of images and the securecore set of images, for the sake of brevity. The install script presented in a later step lets you choose between them. You *must* start from a Fedora Atomic ISO for secureblue desktop images, and *must* start from a Fedora CoreOS ISO for securecore images. Table of Contents @@ -13,7 +15,7 @@ Table of Contents - [Rebase](#rebase) - [Post-install](#post-install) -# Pre-install +## Pre-install The following is advice on what to do before and during the installation of a Fedora ISO, and how. @@ -25,19 +27,19 @@ The following is advice on what to do before and during the installation of a Fe Before rebasing and during the installation, the following checks are recommended. -## Fedora installation +### Fedora installation - Select the option to encrypt the drive you're installing to. - Use a [strong password](https://security.harvard.edu/use-strong-passwords) when prompted. - Leave the root account disabled. - Select wheel group membership for your user. -## BIOS hardening +### BIOS hardening - Ensure secureboot is enabled. - Ensure your BIOS is up to date by checking its manufacturer's website. - Disable booting from USB (some manufacturers allow firmware changes from live systems). - Set a BIOS password to prevent tampering. -# Rebase +## Rebase To rebase a Fedora Atomic or Fedora CoreOS installation to a secureblue image, download the script below. This script does not install secureblue into the existing system. It rebases (fully replaces the existing system) with secureblue. @@ -49,7 +51,7 @@ Then, run it from the directory you downloaded it to: bash install_secureblue.sh ``` -# Post-install +## Post-install After installation, [yafti](https://github.com/ublue-os/yafti) will open. Make sure to follow the steps listed carefully and read the directions closely. @@ -73,12 +75,12 @@ Then, follow the following steps in order: - [Optional: `hardened-chromium` Flags](#hardened-chromium-flags) - [Read the FAQ](#faq) -## Subscribe to secureblue release notifications +### Subscribe to secureblue release notifications {: #release-notifications} [FAQ](/faq#releases) -## Set NVIDIA-specific kargs if applicable +### Set NVIDIA-specific kargs if applicable {: #nvidia} If you are using an `nvidia` image, run this after installation: @@ -94,18 +96,17 @@ rpm-ostree kargs \ --append-if-missing=initcall_blacklist=simpledrm_platform_driver_init ``` -## Enroll secureboot key +### Enroll secureboot key {: #secureboot} ``` ujust enroll-secure-boot-key ``` -## Set hardened kargs +### Set hardened kargs {: #kargs} -[!NOTE] -Learn about the hardening applied by the kargs set by the command below [here](/articles/kargs). +{% include alert.html type='info' content='Learn about the hardening applied by the kargs set by the command below [here](/articles/kargs).' %} ``` ujust set-kargs-hardening @@ -113,24 +114,24 @@ ujust set-kargs-hardening This command applies a fixed set of hardened boot parameters, and asks you whether or not the following kargs should *also* be set along with those (all of which are documented in the link above): -### 32-bit support +#### 32-bit support {: #kargs-32-bit} If you answer `N`, or press enter without any input, support for 32-bit programs will be disabled on the next boot. If you run exclusively modern software, chances are likely you don't need this, so it's safe to disable for additional attack surface reduction. However, there are certain exceptions. A couple common usecases are if you need Steam, or run an occasional application in Wine you'll likely want to keep support for 32-bit programs. If this is the case, answer `Y`. -### Force disable simultaneous multithreading +#### Force disable simultaneous multithreading {: #kargs-smt} If you answer `Y` when prompted, simultaneous multithreading (SMT, often called Hyperthreading) will be forcefully disabled, regardless of known vulnerabilities in the running hardware. This can cause a reduction in the performance of certain tasks in favor of security. -### Unstable hardening kargs +#### Unstable hardening kargs {: #kargs-unstable} If you answer `Y` when prompted, unstable hardening kargs will be additionally applied, which can cause issues on some hardware, but are stable on other hardware. -## Setup USBGuard +### Setup USBGuard {: #usbguard} *This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard.* @@ -139,10 +140,10 @@ If you answer `Y` when prompted, unstable hardening kargs will be additionally a ujust setup-usbguard ``` -## GRUB +### GRUB {: #grub} -### Set a password +#### Set a password {: #grub-password} Setting a GRUB password helps protect the device from physical tampering and mitigates various attack vectors, such as booting from malicious media devices and changing boot or kernel parameters. @@ -159,10 +160,7 @@ If you wish to password-protect booting existing entries, you can add the `grub_ ## Create a separate wheel account for admin purposes {: #wheel} -Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain attack vectors, like: - -- https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#LD_PRELOAD -- https://www.kicksecure.com/wiki/Root#Prevent_Malware_from_Sniffing_the_Root_Password +Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain privilege escalation attack vectors and password sniffing. {% include alert.html type='caution' content='If you do these steps out of order, it is possible to end up without the ability to administrate your system. You will not be able to use the traditional GRUB-based method of fixing mistakes like this, either, as this will leave your system in a broken state. However, simply rolling back to an older snapshot of your system, should resolve the problem.' %} @@ -189,7 +187,7 @@ When using a non-wheel user, you can add the user to other groups if you want. F {% include alert.html type='note' content='You don\'t need to login using your wheel user to use it for privileged operations. When logged in as your non-wheel user, polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling run0.' %} -## Setup system DNS +### Setup system DNS {: #dns} Interactively setup system DNS resolution for systemd-resolved (optionally also set the resolver for hardened-chromium via management policy): @@ -198,7 +196,7 @@ Interactively setup system DNS resolution for systemd-resolved (optionally also ujust dns-selector ``` -NOTE: If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case. +{% include alert.html type='info' content='If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case.' %} ## Bash environment lockdown {: #bash} @@ -209,7 +207,7 @@ To mitigate [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger), r ujust toggle-bash-environment-lockdown ``` -## LUKS TPM2 Unlock +### LUKS TPM2 Unlock {: #luks-tpm2} {% include alert.html type='warning' content='Do not use this if you have an AMD CPU.' %} @@ -222,7 +220,7 @@ ujust setup-luks-tpm-unlock Type `Y` when asked if you want to set a PIN. -## Validation +### Validation {: #validation} To validate your secureblue setup, run: @@ -231,14 +229,14 @@ To validate your secureblue setup, run: ujust audit-secureblue ``` -## Optional: `hardened-chromium` Flags +### Optional: `hardened-chromium` Flags {: #hardened-chromium-flags} The included [hardened-chromium](https://github.com/secureblue/hardened-chromium) browser has some additional settings in `chrome://flags` you *may* want to set for additional hardening and convenience (can cause functionality issues in some cases). You can read about these settings [here](https://github.com/secureblue/hardened-chromium?tab=readme-ov-file#post-install). -## Read the FAQ +### Read the FAQ {: #faq} Lots of important stuff is covered in the [FAQ](/faq). AppImage toggles, GNOME extension toggles, Xwayland toggles, etc. diff --git a/content/articles/FLATPAK.md b/content/articles/FLATPAK.md index ad3209a9..01c9a82c 100644 --- a/content/articles/FLATPAK.md +++ b/content/articles/FLATPAK.md @@ -22,4 +22,4 @@ What secureblue does in this case is provide a mitigation along the lines of the ujust flatpak-permissions-lockdown ``` -This is not enabled out of the box on secureblue because it has a somewhat significant usability impact (many flatpaks will break due to missing permissions). Until the flatpak and xdg portal permissions model is improved, this is the most secure option we can offer. That said, users are still encouraged to report unnecessary permissions to upstream projects when found, while incremenetal development progresses on flatpak and portals. +This is not enabled out of the box on secureblue because it has a somewhat significant usability impact (many flatpaks will break due to missing permissions). Until the flatpak and xdg portal permissions model is improved, this is the most secure option we can offer. That said, users are still encouraged to report unnecessary permissions to upstream projects when found, while incremental development progresses on flatpak and portals. From 588610bf4dff3422c4e776d6c81e8f04626449d3 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 13:39:42 -0800 Subject: [PATCH 24/35] reset css --- assets/main.css | 6 ------ 1 file changed, 6 deletions(-) diff --git a/assets/main.css b/assets/main.css index 699abfbe..6402a7b4 100644 --- a/assets/main.css +++ b/assets/main.css @@ -296,12 +296,6 @@ main.normalize { align-items: center; flex-flow: row nowrap; justify-content: space-between; - max-width: 832px; - margin: auto; - padding-top: 3.5rem; - padding-bottom: 1rem; - padding-left: 1rem; - padding-right: 1rem; } .hero h1 { From ce3b6d5b93af3e69ed325052efbb8b785ba75573 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 13:45:11 -0800 Subject: [PATCH 25/35] fix class order --- _includes/hero.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/hero.html b/_includes/hero.html index 417b3b55..080f76e2 100644 --- a/_includes/hero.html +++ b/_includes/hero.html @@ -1,4 +1,4 @@ -
    +

    secureblue

    From 7aee65913503bf0368d7f9cdf96d6e4b540c7a4c Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 14:10:28 -0800 Subject: [PATCH 26/35] formatting --- content/INDEX.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/INDEX.md b/content/INDEX.md index e185fdf1..946628f3 100644 --- a/content/INDEX.md +++ b/content/INDEX.md @@ -4,8 +4,6 @@ description: "Hardened operating system images based on Fedora Atomic Desktop an permalink: / --- -## About - secureblue is a security-focused desktop and server linux operating system, developed as an open-source project. It is shipped as a set of [OCI](https://en.wikipedia.org/wiki/Open_Container_Initiative) bootable container images, which are generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with SELinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a secure desktop system. However, the security posture of desktop linux is broadly and significantly lacking. The goal of secureblue is to build a maximally secure linux operating system by proactively increasing defenses against the exploitation of both known and unknown vulnerabilities while avoiding sacrificing usability for most use cases where possible. For more details, see the features list. ## Who is secureblue for? From e41c14b2f568602e3216e158f2a36b1982da8c7f Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 14:16:09 -0800 Subject: [PATCH 27/35] add back about --- content/INDEX.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/INDEX.md b/content/INDEX.md index 946628f3..e185fdf1 100644 --- a/content/INDEX.md +++ b/content/INDEX.md @@ -4,6 +4,8 @@ description: "Hardened operating system images based on Fedora Atomic Desktop an permalink: / --- +## About + secureblue is a security-focused desktop and server linux operating system, developed as an open-source project. It is shipped as a set of [OCI](https://en.wikipedia.org/wiki/Open_Container_Initiative) bootable container images, which are generated with [BlueBuild](https://blue-build.org/), using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point. Fedora is one of the few Linux distributions that ships with SELinux and associated tooling built-in and enabled by default. This makes it advantageous as a starting point for building a secure desktop system. However, the security posture of desktop linux is broadly and significantly lacking. The goal of secureblue is to build a maximally secure linux operating system by proactively increasing defenses against the exploitation of both known and unknown vulnerabilities while avoiding sacrificing usability for most use cases where possible. For more details, see the features list. ## Who is secureblue for? From 69ad0a4bfb067e0063ae5ed914a7c4f171c1bfb9 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 14:20:08 -0800 Subject: [PATCH 28/35] fix note type --- content/INSTALL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/INSTALL.md b/content/INSTALL.md index 08887d2a..9ef47985 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -106,7 +106,7 @@ ujust enroll-secure-boot-key ### Set hardened kargs {: #kargs} -{% include alert.html type='info' content='Learn about the hardening applied by the kargs set by the command below [here](/articles/kargs).' %} +{% include alert.html type='note' content='Learn about the hardening applied by the kargs set by the command below [here](/articles/kargs).' %} ``` ujust set-kargs-hardening @@ -196,7 +196,7 @@ Interactively setup system DNS resolution for systemd-resolved (optionally also ujust dns-selector ``` -{% include alert.html type='info' content='If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case.' %} +{% include alert.html type='note' content='If you intend to use a VPN, use the system default state (network provided resolver). This will ensure your system uses the VPN provided DNS resolver to prevent DNS leaks. ESPECIALLY avoid setting the browser DNS policy in this case.' %} ## Bash environment lockdown {: #bash} From 660629a839eb4b2b6f6bfbb908870be8216ce6d5 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 14:25:01 -0800 Subject: [PATCH 29/35] fix css --- _includes/hero.html | 2 +- assets/main.css | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/_includes/hero.html b/_includes/hero.html index 080f76e2..009eea38 100644 --- a/_includes/hero.html +++ b/_includes/hero.html @@ -1,4 +1,4 @@ -
    +

    secureblue

    diff --git a/assets/main.css b/assets/main.css index 6402a7b4..b6980323 100644 --- a/assets/main.css +++ b/assets/main.css @@ -296,6 +296,10 @@ main.normalize { align-items: center; flex-flow: row nowrap; justify-content: space-between; + max-width: 832px; + margin-left: auto; + margin-right:auto; + padding: 3.5rem 1rem; } .hero h1 { From 2a08f58d2aa6ffdab8f7bb389f2b6e29953e038a Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 14:27:41 -0800 Subject: [PATCH 30/35] typo --- assets/main.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/main.css b/assets/main.css index b6980323..baefa043 100644 --- a/assets/main.css +++ b/assets/main.css @@ -298,7 +298,7 @@ main.normalize { justify-content: space-between; max-width: 832px; margin-left: auto; - margin-right:auto; + margin-right: auto; padding: 3.5rem 1rem; } From 06f42af84660a7068a444ebe1b4c06a070a141fd Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 14:50:25 -0800 Subject: [PATCH 31/35] add fido2 note --- content/INSTALL.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/content/INSTALL.md b/content/INSTALL.md index 9ef47985..31711c88 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -207,7 +207,19 @@ To mitigate [LD_PRELOAD attacks](https://github.com/Aishou/wayland-keylogger), r ujust toggle-bash-environment-lockdown ``` -### LUKS TPM2 Unlock +### LUKS Hardware-Unlock + +#### LUKS FIDO2 Unlock +{: #luks-fido2} + + +To enable FIDO2 LUKS unlocking with your FIDO2 security key, run: + +``` +ujust setup-luks-fido2-unlock +``` + +#### LUKS TPM2 Unlock {: #luks-tpm2} {% include alert.html type='warning' content='Do not use this if you have an AMD CPU.' %} From 410854ea70536312b3f59ddb723d7ce5c3e30ccb Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 14:53:12 -0800 Subject: [PATCH 32/35] note --- content/INSTALL.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/INSTALL.md b/content/INSTALL.md index 31711c88..ee8fee18 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -209,6 +209,9 @@ ujust toggle-bash-environment-lockdown ### LUKS Hardware-Unlock +{% include alert.html type='note' content='There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your luks volume. It's recommended that you choose only one of these, and not both at the same time.' %} + + #### LUKS FIDO2 Unlock {: #luks-fido2} From ad9e5a309f8b1b343bfb2734ac98ad18d60ddf82 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 14:54:38 -0800 Subject: [PATCH 33/35] escape char --- content/INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/INSTALL.md b/content/INSTALL.md index ee8fee18..6c0cfb96 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -209,7 +209,7 @@ ujust toggle-bash-environment-lockdown ### LUKS Hardware-Unlock -{% include alert.html type='note' content='There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your luks volume. It's recommended that you choose only one of these, and not both at the same time.' %} +{% include alert.html type='note' content='There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your luks volume. It\'s recommended that you choose only one of these, and not both at the same time.' %} #### LUKS FIDO2 Unlock From b95bb82cab81a676e7619202d56241d4a35a2123 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 15:13:46 -0800 Subject: [PATCH 34/35] fix link --- content/articles/FLATPAK.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/articles/FLATPAK.md b/content/articles/FLATPAK.md index 01c9a82c..7407623a 100644 --- a/content/articles/FLATPAK.md +++ b/content/articles/FLATPAK.md @@ -10,7 +10,7 @@ Flatpak is an application packaging and distribution system for desktop linux. I As with any application sandboxing system, flatpaks should be scoped down by default to as few permissions as they need to function. Even better, permissions should be granted directly by the user at app runtime like in android. Sadly, neither of these are the case today. Flatpak manifest maintainers define the set of permissions they believe to be necessary and sufficient for operation of their applications. When a flatpak is installed by a user, the flatpak's permissions default to those defined by the manifest. -This is of course not ideal, but it's also not a reason to abandon flatpak entirely. There are many ways we can mitigate this issue: +This is of course not ideal, but it's also [not a reason to abandon flatpak entirely](https://en.wikipedia.org/wiki/Perfect_is_the_enemy_of_good). There are many ways we can mitigate this issue: - users should configure permissions to their liking - users should submit default permissions changes to upstream flatpaks at their repos. From 4cc6a0164abfcc9b41de9d985574831a4bbe4283 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 2 Jan 2025 15:27:02 -0800 Subject: [PATCH 35/35] comment --- content/INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/INSTALL.md b/content/INSTALL.md index 6c0cfb96..148d2988 100644 --- a/content/INSTALL.md +++ b/content/INSTALL.md @@ -209,7 +209,7 @@ ujust toggle-bash-environment-lockdown ### LUKS Hardware-Unlock -{% include alert.html type='note' content='There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your luks volume. It\'s recommended that you choose only one of these, and not both at the same time.' %} +{% include alert.html type='note' content='There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your luks volume. FIDO2 enrollment is preferable if you own a hardware security key. It\'s recommended that you choose only one of these, and not both at the same time.' %} #### LUKS FIDO2 Unlock