From afbdd44f086c0472c22ec525393e8ceaec3929f7 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 17 Jan 2019 18:36:15 -0800 Subject: [PATCH 1/3] added Xenial prep instructions in upgrade section --- docs/index.rst | 1 + docs/upgrade/xenial_prep.rst | 193 +++++++++++++++++++++++++++++++++++ 2 files changed, 194 insertions(+) create mode 100644 docs/upgrade/xenial_prep.rst diff --git a/docs/index.rst b/docs/index.rst index 423032af84..09451c583b 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -86,6 +86,7 @@ anonymous sources. :name: upgradetoc :maxdepth: 2 + upgrade/xenial_prep.rst upgrade/0.10.0_to_0.11.0.rst upgrade/0.9.1_to_0.10.0.rst upgrade/0.8.0_to_0.9.1.rst diff --git a/docs/upgrade/xenial_prep.rst b/docs/upgrade/xenial_prep.rst new file mode 100644 index 0000000000..4419649e1a --- /dev/null +++ b/docs/upgrade/xenial_prep.rst @@ -0,0 +1,193 @@ +Xenial migration - Preparatory steps +==================================== +On 30 April 2019, Ubuntu 14.04 LTS (Long Term Support) will reach End of Life. After this date, no new security updates to the base operating system will be provided. It is therefore of critical importance for the security of all SecureDrop instances to upgrade to the next version of Ubuntu (16.04) before April 30. + +SecureDrop servers provisioned before April 30 use Ubuntu 14.04 LTS as the base operating system. Support for Ubuntu 16.04 LTS (which will receive security updates until April 2021) is scheduled to be included with the next release of SecureDrop, version 0.12.0, on February 19. The operating system update itself must be performed manually. + +We recommend that you plan two working days (after your instance has been updated to SecureDrop 0.12.0) to backup your instance, perform the upgrade, and test your instance once it is upgraded. We recommend scheduling this maintenance window no earlier than February 27. + +Anytime before then, we suggest taking some simple preparatory steps to ensure your SecureDrop instance can be upgraded smoothly. + +Preparation Procedure +--------------------- + + * In summary, the preparation procedure consists of: + * Ensuring your instance is running the latest version of SecureDrop; + * Ensuring your Admin Workstation and Journalist Workstations are up to date; + * Ensuring you have a recent backup of the Securedrop servers; + * Verifying that you still have SSH access to the server. + +Ensuring your instance servers are running the latest version of SecureDrop +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The quickest way to check your SecureDrop version is to load the .onion address of your Source Interface in the Tor Browser. The version number will be in the footer of the Source Interface. + +SecureDrop servers are updated automatically with the latest release version, which is currently 0.11.0. Recently, some long-running SecureDrop instances were affected by a bug which will cause any updates after 0.10.0 to fail. If your instance is still running 0.10.0, please consult our advisory to update to the latest version. + +.. important:: + If your instance is affected by this bug, it will no longer receive automatic updates. This is a major security risk and we urge you to take manual action as soon as possible to update SecureDrop. Please do not hesitate to contact us if we can help (see below). + +Ensuring your Admin Workstation is up-to-date +--------------------------------------------- + +First, back up your Admin Workstation, using the process described here: +Docs: Back up the Workstations + +Next, ensure you are running the latest version of the Tails OS. You can do this by starting up your Admin Workstation, and selecting Activities > Tails > About Tails. If you are running a version prior to 3.11, you will need to upgrade to version 3.11. + +Check the version of the SecureDrop code installed on your Admin Workstation. Start the Admin Workstation with its persistent volume unlocked and an administration password set. Then open a terminal window and run the following commands: + +.. code:: sh + + cd ~/Persistent/securedrop + git status + +The output from ``git status`` should include the following text: + +HEAD detached at + +where is the version of the workstation code that is installed. + +If the Admin Workstation is at version 0.11.0, it is up-to-date, and you can proceed with making a backup of the instance and verifying SSH connectivity. [anchor link here] + +Upgrading from version 0.9.1 or later +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +If the workstation is at least at version 0.9.1 and up to version 0.10.0, you should see a graphical updater informing you about the availability of a new version. The graphical updater looks like this: + + +Follow the graphical prompts to complete the update. If you don’t see the graphical updater, make sure that you start up the Admin Workstation with both an Administration password set and the persistent volume unlocked. + +If you still can’t see the graphical prompt, then you can update manually by following the next set of steps below. + +Upgrading from versions 0.4-0.9.0 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If your workstation code version is between 0.4 and 0.9.0, then you will need to update to the latest version manually. First, open a terminal window and run the following commands: + +cd ~/Persistent/securedrop +git fetch --tags +gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" +git tag -v 0.11.0 + +The output should include the following two lines: + +gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 +gpg: Good signature from "SecureDrop Release Signing Key" + +Please verify that each character of the fingerprint above matches what is on the screen of your workstation. If it does, you can check out the new release: + +git checkout 0.11.0 +Important: If you see the warning “refname ‘0.11.0’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted). + +Finally, run the following commands: + +./securedrop-admin setup +./securedrop-admin tailsconfig + +Upgrading from version 0.3.x - reprovisioning your Admin Workstation +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If your Admin Workstation has not been updated since version 0.3 of SecureDrop was released, its Tails version is most likely also out-of-date. In this case, we recommend provisioning a new Admin Workstation using the configuration information from the old workstation. + +First, prepare a new Tails USB stick with a persistent volume, using the latest version of Tails. For more information on this process, see Docs: Creating Tails USBs. This will be your new Admin Workstation. + +Start up your new Admin Workstation with its persistent volume unlocked and an administration password set. + +Open a terminal and run the following commands to install the SecureDrop app code: + +gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" +cd ~/Persistent +git clone https://github.com/freedomofpress/securedrop.git +cd ~Persistent/securedrop +git checkout 0.11.0 +git tag -v 0.11.0 + + +You should see Good signature from "SecureDrop Release Signing Key" in the output of that last command, along with the fingerprint above. + +If you do not, signature verification has failed and you should not proceed with the installation. If this happens, please contact us at securedrop@freedom.press. + +Next, mount the persistent volume of the old Admin Workstation in order to retrieve instance-specific files that you’ll need to set up the new workstation. + +To do so: +Plug your old Admin Workstation into a free USB port +Browse to Places > Computer in the Tails top navigation bar +The old Admin Workstation’s persistent volume will appear in the left-hand menu, listed as an encrypted volume. Click the listing, and enter the decryption passphrase for the volume to mount it. + +Next, copy the files that you’ll need for the new Admin Workstation. Open a terminal and run the following commands: + +cp /media/amnesia/TailsData/openssh-client/* ~/.ssh/ +export SRC="/media/amnesia/TailsData/install_files/ansible_base" +export DST="~/Persistent/securedrop/install_files/ansible-base" +cp $SRC/{app,mon}* $DST/ +cp $SRC/prod-specific.yml $DST/ + +Next, you’ll need to copy over the instance’s submission key and OSSEC public key. Their filenames may vary, but you can check them in the instance configuration file using the following command: + +grep "_public_key" $DST/prod-specific.yml + +Assuming that their names are Securedrop.asc and ossec.asc respectively, you should then copy them across by running the following commands: + +cp $SRC/Securedrop.asc $DST/ +cp $SRC/ossec.asc $DST/ + +If you use Tails’ KeepassX password manager to store instance-specific passwords, you should also copy over the old workstation’s KeepassX database. +The default location for the KeepassX database is /media/amnesia/TailsData/Persistent/securedrop-keepassx.kdbx. Copy it to the new Admin Workstation’s persistent volume with the following command: + +cp /media/amnesia/TailsData/Persistent/securedrop-keepassx.kdbx ~/Persistent/ + +Once the instance-specific files have been copied across, unmount the old Admin Workstation’s persistent volume by clicking its Eject icon in the file browser. + +Next, you’ll need to configure the new Admin Workstation using the copied files. In a terminal, run the following commands: + +cd ~/Persistent/securedrop +./securedrop-admin setup +./securedrop-admin tailsconfig + +You can now proceed to back up your instance and test SSH connectivity, as described below. + +Backing up your instance +------------------------ +Once your Admin Workstation is up-to-date, you should purge any previously downloaded submissions from the Journalist Interface before backing up the instance servers. In general, this should be done by or in coordination with the editorial staff responsible for the instance! + +Removing old submissions is good security practice. It’s also important in order to control the size of backups, as the backup files are transferred to the Admin Workstation over the Tor network. + +To back up your instance servers, open a terminal on the Admin Workstation and run the following commands: + +cd ~/Persistent/securedrop +./securedrop-admin setup +./securedrop-admin backup + +Once the command is completed, you will find the backup files in the ~/Persistent/securedrop/install_files/ansible-base directory. We recommend that you store those on an encrypted volume on a separate USB stick for safe keeping. For more information on the backup process, see Docs: Backup, Restore, Migrate. + + +Verifying SSH access +-------------------- + +Check to see if you can still access the servers via SSH. To do this, start up your Admin Workstation (with persistent storage unlocked) and run the following commands. + +$ ssh app hostname +app +$ ssh mon hostname +mon + +If you are having trouble accessing the servers, try the following +Check if you have unlocked the persistent storage on your Admin Workstation +Check to see if they are turned on and connected to the network +Try to log into directly (by attaching a keyboard and display) +Contact us for assistance (see below). +Upgrading Journalist Workstations +You should keep your Journalist Workstations up-to-date with the SecureDrop version in use on your Admin Workstations. You can check the SecureDrop code versions on a Journalist Workstation using the procedure described above. + +If your Journalist Workstation code version is 0.9.1 or later, you can upgrade it using the graphical updater. +If its code version is between 0.4 and 0.9.0 inclusive, you can use the process described above for an Admin Workstation with the same code version to upgrade it. +If its code version is less than 0.4, we recommend provisioning a new Journalist Workstation instead, after upgrading your Admin Workstation. + +Questions and comments +---------------------- +If you have questions or comments regarding the coming upgrade to Ubuntu 16.04 or the preparatory procedure outlined above, please don't hesitate to reach out: + +Via our Support Portal, if you are a member (membership is approved on a case-by-case basis); +Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously); +Via our community forums. + From c19181fc19ed02c4215764bce96812fb73d82439 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Fri, 18 Jan 2019 10:20:18 -0800 Subject: [PATCH 2/3] updated based on review --- docs/upgrade/xenial_prep.rst | 277 ++++++++++++++++++++++------------- 1 file changed, 178 insertions(+), 99 deletions(-) diff --git a/docs/upgrade/xenial_prep.rst b/docs/upgrade/xenial_prep.rst index 4419649e1a..40b6daa586 100644 --- a/docs/upgrade/xenial_prep.rst +++ b/docs/upgrade/xenial_prep.rst @@ -1,8 +1,8 @@ -Xenial migration - Preparatory steps -==================================== -On 30 April 2019, Ubuntu 14.04 LTS (Long Term Support) will reach End of Life. After this date, no new security updates to the base operating system will be provided. It is therefore of critical importance for the security of all SecureDrop instances to upgrade to the next version of Ubuntu (16.04) before April 30. +Ubuntu 16.04 LTS (Xenial) migration - Preparatory steps +======================================================= +On 30 April 2019, Ubuntu 14.04 LTS (Trusty) will reach End of Life. After this date, no new security updates to the base operating system will be provided. It is therefore of critical importance for the security of all SecureDrop instances to upgrade to Ubuntu 16.04 LTS (Xenial) before April 30. -SecureDrop servers provisioned before April 30 use Ubuntu 14.04 LTS as the base operating system. Support for Ubuntu 16.04 LTS (which will receive security updates until April 2021) is scheduled to be included with the next release of SecureDrop, version 0.12.0, on February 19. The operating system update itself must be performed manually. +SecureDrop servers provisioned before February 19 use Ubuntu 14.04 LTS as the base operating system. Support for Ubuntu 16.04 LTS (which will receive security updates until April 2021) is scheduled to be included with the next release of SecureDrop, version 0.12.0, on February 19. The operating system update itself must be performed manually. We recommend that you plan two working days (after your instance has been updated to SecureDrop 0.12.0) to backup your instance, perform the upgrade, and test your instance once it is upgraded. We recommend scheduling this maintenance window no earlier than February 27. @@ -11,31 +11,39 @@ Anytime before then, we suggest taking some simple preparatory steps to ensure y Preparation Procedure --------------------- - * In summary, the preparation procedure consists of: - * Ensuring your instance is running the latest version of SecureDrop; - * Ensuring your Admin Workstation and Journalist Workstations are up to date; - * Ensuring you have a recent backup of the Securedrop servers; - * Verifying that you still have SSH access to the server. +In summary, the preparation procedure consists of: -Ensuring your instance servers are running the latest version of SecureDrop -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + #. ensuring your instance is running the latest version of SecureDrop; + #. ensuring your *Admin Workstation* and *Journalist Workstations* are up to date; + #. ensuring you have a recent backup of the Securedrop servers; + #. verifying that you still have SSH access to the servers. -The quickest way to check your SecureDrop version is to load the .onion address of your Source Interface in the Tor Browser. The version number will be in the footer of the Source Interface. +Each of these steps are described below. -SecureDrop servers are updated automatically with the latest release version, which is currently 0.11.0. Recently, some long-running SecureDrop instances were affected by a bug which will cause any updates after 0.10.0 to fail. If your instance is still running 0.10.0, please consult our advisory to update to the latest version. +Checking your Server Securedrop version +--------------------------------------- + +The simplest way to check your SecureDrop version is to load the .onion address of your Source Interface in the Tor Browser. The version number will be in the footer of the Source Interface. You can also check the application version from the command line on the *Application Server* by running the command: + +.. code:: sh + + apt-cache policy securedrop-app-code + + +SecureDrop servers are updated automatically with the latest release version (0.11.0 as of 17 Jan 2019). Recently, some long-running SecureDrop instances were affected by a bug which will cause any updates after 0.10.0 to fail. If your instance is still running 0.10.0, please `consult our advisory `_ to update to the latest version. .. important:: - If your instance is affected by this bug, it will no longer receive automatic updates. This is a major security risk and we urge you to take manual action as soon as possible to update SecureDrop. Please do not hesitate to contact us if we can help (see below). + If your instance is affected by this bug, it will no longer receive automatic updates. This is a major security risk and we urge you to take manual action as soon as possible to update SecureDrop. Please do not hesitate to :ref:`contact us ` if we can help. Ensuring your Admin Workstation is up-to-date ---------------------------------------------- +----------------------------------------------- -First, back up your Admin Workstation, using the process described here: -Docs: Back up the Workstations +First, back up your *Admin Workstation*. using the process described here: +:doc:`Back up the Workstations <../backup_workstations>`. -Next, ensure you are running the latest version of the Tails OS. You can do this by starting up your Admin Workstation, and selecting Activities > Tails > About Tails. If you are running a version prior to 3.11, you will need to upgrade to version 3.11. +Next, ensure you are running the latest version of the Tails OS. You can do this by starting up your *Admin Workstation*. and selecting **Activities > Tails > About Tails**. If you are running a version prior to 3.11, you will need to upgrade to version 3.11. For more information on upgrading your Tails USB, see `Upgrading a Tails USB stick `_. -Check the version of the SecureDrop code installed on your Admin Workstation. Start the Admin Workstation with its persistent volume unlocked and an administration password set. Then open a terminal window and run the following commands: +To check the version of the SecureDrop code installed on your *Admin Workstation*, start the *Admin Workstation* with its persistent volume unlocked and an administration password set. Then open a terminal window and run the following commands: .. code:: sh @@ -44,150 +52,221 @@ Check the version of the SecureDrop code installed on your Admin Workstation. St The output from ``git status`` should include the following text: -HEAD detached at +.. code-block:: none + + HEAD detached at + +where ```` is the version of the workstation code that is installed. -where is the version of the workstation code that is installed. +If the *Admin Workstation* is at version 0.11.0, it is up-to-date, and you can proceed with :ref:`making a backup of the instance ` and :ref:`verifying SSH connectivity `. If the *Admin Workstation* is running an earlier version, you will need to upgrade it, using the appropriate steps for your version: -If the Admin Workstation is at version 0.11.0, it is up-to-date, and you can proceed with making a backup of the instance and verifying SSH connectivity. [anchor link here] + - 0.9.1 to 0.10.0: `Upgrading from version 0.9.1 or later`_. + - 0.4 to 0.9.0: `Upgrading from versions 0.4-0.9.0`_. + - Earlier than 0.4: `Upgrading from version 0.3.x - reprovisioning your Admin Workstation`_. Upgrading from version 0.9.1 or later -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + If the workstation is at least at version 0.9.1 and up to version 0.10.0, you should see a graphical updater informing you about the availability of a new version. The graphical updater looks like this: +.. image:: ../images/0.6.x_to_0.7/securedrop-updater.png + +Follow the graphical prompts to complete the update. If you don’t see the graphical updater, make sure that you start up the *Admin Workstation* with both an Administration password set and the persistent volume unlocked. -Follow the graphical prompts to complete the update. If you don’t see the graphical updater, make sure that you start up the Admin Workstation with both an Administration password set and the persistent volume unlocked. +If you still can’t see the graphical prompt, then you can update manually by following the instructions for :ref:`upgrading from versions 0.4 to 0.9.0 `. -If you still can’t see the graphical prompt, then you can update manually by following the next set of steps below. +.. _upgrade_04x: Upgrading from versions 0.4-0.9.0 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If your workstation code version is between 0.4 and 0.9.0, then you will need to update to the latest version manually. First, open a terminal window and run the following commands: -cd ~/Persistent/securedrop -git fetch --tags -gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" -git tag -v 0.11.0 +.. code:: sh + + cd ~/Persistent/securedrop + git fetch --tags + gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" + git tag -v 0.11.0 The output should include the following two lines: -gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 -gpg: Good signature from "SecureDrop Release Signing Key" +.. code-block:: none + + gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 + gpg: Good signature from "SecureDrop Release Signing Key" Please verify that each character of the fingerprint above matches what is on the screen of your workstation. If it does, you can check out the new release: -git checkout 0.11.0 -Important: If you see the warning “refname ‘0.11.0’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted). +.. code:: sh + + git checkout 0.11.0 + +Important: If you see the warning ``refname ‘0.11.0’ is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted). Finally, run the following commands: -./securedrop-admin setup -./securedrop-admin tailsconfig +.. code:: sh + + ./securedrop-admin setup + ./securedrop-admin tailsconfig + + +.. _upgrade_03x: Upgrading from version 0.3.x - reprovisioning your Admin Workstation -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -If your Admin Workstation has not been updated since version 0.3 of SecureDrop was released, its Tails version is most likely also out-of-date. In this case, we recommend provisioning a new Admin Workstation using the configuration information from the old workstation. +If your *Admin Workstation* has not been updated since version 0.3 of SecureDrop was released, its Tails version is most likely also out-of-date. In this case, we recommend provisioning a new *Admin Workstation* using the configuration information from the old workstation. -First, prepare a new Tails USB stick with a persistent volume, using the latest version of Tails. For more information on this process, see Docs: Creating Tails USBs. This will be your new Admin Workstation. +First, prepare a new Tails USB stick with a persistent volume, using the latest version of Tails. For more information on this process, see :ref:`Create Tails USBs `. This will be your new *Admin Workstation*. -Start up your new Admin Workstation with its persistent volume unlocked and an administration password set. +Start up your new *Admin Workstation* with its persistent volume unlocked and an administration password set. Open a terminal and run the following commands to install the SecureDrop app code: -gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" -cd ~/Persistent -git clone https://github.com/freedomofpress/securedrop.git -cd ~Persistent/securedrop -git checkout 0.11.0 -git tag -v 0.11.0 +.. code:: sh + gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" -You should see Good signature from "SecureDrop Release Signing Key" in the output of that last command, along with the fingerprint above. + cd ~/Persistent + git clone https://github.com/freedomofpress/securedrop.git + cd ~Persistent/securedrop + git tag -v 0.11.0 -If you do not, signature verification has failed and you should not proceed with the installation. If this happens, please contact us at securedrop@freedom.press. -Next, mount the persistent volume of the old Admin Workstation in order to retrieve instance-specific files that you’ll need to set up the new workstation. +The output should include the following two lines: + +.. code-block:: none + + gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 + gpg: Good signature from "SecureDrop Release Signing Key" + +Please verify that each character of the fingerprint above matches what is on the screen of your workstation. If it does, you can check out the new release. +If it does not, signature verification has failed and you should not proceed with the installation. If this happens, please contact us at securedrop@freedom.press. -To do so: -Plug your old Admin Workstation into a free USB port -Browse to Places > Computer in the Tails top navigation bar -The old Admin Workstation’s persistent volume will appear in the left-hand menu, listed as an encrypted volume. Click the listing, and enter the decryption passphrase for the volume to mount it. +Now, check out the current release with the following command: -Next, copy the files that you’ll need for the new Admin Workstation. Open a terminal and run the following commands: +.. code:: sh + + git checkout 0.11.0 + +Next, mount the persistent volume of the old *Admin Workstation* in order to retrieve instance-specific files that you’ll need to set up the new workstation. To do so: + + 1. Plug your old *Admin Workstation* into a free USB port + 2. Browse to **Places > Computer** in the Tails top navigation bar + |Places Menu| + 3. Click the encrypted volume in the left-hand panel of the file browser, and enter the decryption passphrase for the volume to mount it. + |Volume Decryption Dialog| -cp /media/amnesia/TailsData/openssh-client/* ~/.ssh/ -export SRC="/media/amnesia/TailsData/install_files/ansible_base" -export DST="~/Persistent/securedrop/install_files/ansible-base" -cp $SRC/{app,mon}* $DST/ -cp $SRC/prod-specific.yml $DST/ +.. |Places Menu| image:: ../images/upgrade_to_tails_3x/browse_to_places_computer.png +.. |Volume Decryption Dialog| image:: ../images/upgrade_to_tails_3x/fill_in_passphrase.png -Next, you’ll need to copy over the instance’s submission key and OSSEC public key. Their filenames may vary, but you can check them in the instance configuration file using the following command: -grep "_public_key" $DST/prod-specific.yml +Next, copy the files that you’ll need for the new *Admin Workstation*. Open a terminal and run the following commands: + +.. code:: sh + + cp /media/amnesia/TailsData/openssh-client/* ~/.ssh/ -Assuming that their names are Securedrop.asc and ossec.asc respectively, you should then copy them across by running the following commands: + export SRC="/media/amnesia/TailsData/install_files/ansible_base" + export DST="~/Persistent/securedrop/install_files/ansible-base" + + cp $SRC/{app,mon}* $DST/ + cp $SRC/prod-specific.yml $DST/ + + # Next, you’ll need to copy over the instance’s submission key and OSSEC + # public key. Their filenames may vary, but you can check them in the + # instance configuration file using the following command: + + grep "_public_key" $DST/prod-specific.yml + + # Assuming that their names are ``Securedrop.asc`` and ``ossec.asc`` + # respectively, you should then copy them across by running the following + # commands: + + cp $SRC/Securedrop.asc $DST/ + cp $SRC/ossec.asc $DST/ -cp $SRC/Securedrop.asc $DST/ -cp $SRC/ossec.asc $DST/ If you use Tails’ KeepassX password manager to store instance-specific passwords, you should also copy over the old workstation’s KeepassX database. -The default location for the KeepassX database is /media/amnesia/TailsData/Persistent/securedrop-keepassx.kdbx. Copy it to the new Admin Workstation’s persistent volume with the following command: +The default location for the KeepassX database is ``/media/amnesia/TailsData/Persistent/securedrop-keepassx.kdbx``. Copy it to the new *Admin Workstation*'s persistent volume with the following command: -cp /media/amnesia/TailsData/Persistent/securedrop-keepassx.kdbx ~/Persistent/ +.. code:: sh -Once the instance-specific files have been copied across, unmount the old Admin Workstation’s persistent volume by clicking its Eject icon in the file browser. + cp /media/amnesia/TailsData/Persistent/securedrop-keepassx.kdbx ~/Persistent/ -Next, you’ll need to configure the new Admin Workstation using the copied files. In a terminal, run the following commands: +Once the instance-specific files have been copied across, unmount the old *Admin Workstation*.s persistent volume by clicking its Eject icon in the file browser. -cd ~/Persistent/securedrop -./securedrop-admin setup -./securedrop-admin tailsconfig +Next, you’ll need to configure the new *Admin Workstation* using the copied files. In a terminal, run the following commands: -You can now proceed to back up your instance and test SSH connectivity, as described below. +.. code:: sh + + cd ~/Persistent/securedrop + ./securedrop-admin setup + ./securedrop-admin tailsconfig + +You can now proceed to :ref:`back up your instance ` and :ref:`test SSH connectivity `, as described below. + +.. _backup_instance: Backing up your instance ------------------------ -Once your Admin Workstation is up-to-date, you should purge any previously downloaded submissions from the Journalist Interface before backing up the instance servers. In general, this should be done by or in coordination with the editorial staff responsible for the instance! -Removing old submissions is good security practice. It’s also important in order to control the size of backups, as the backup files are transferred to the Admin Workstation over the Tor network. +Once your *Admin Workstation* is up-to-date, you should delete any previously-downloaded submissions and sources via the Journalist Interface before backing up the instance servers. In general, this should be done by or in coordination with the editorial staff responsible for the instance! -To back up your instance servers, open a terminal on the Admin Workstation and run the following commands: +.. important:: + Deleting old submissions is good security practice. It’s also important in order to control the size of backups, as the backup files are transferred to the *Admin Workstation* over the Tor network. -cd ~/Persistent/securedrop -./securedrop-admin setup -./securedrop-admin backup +To back up your instance servers, open a terminal on the *Admin Workstation* and run the following commands: -Once the command is completed, you will find the backup files in the ~/Persistent/securedrop/install_files/ansible-base directory. We recommend that you store those on an encrypted volume on a separate USB stick for safe keeping. For more information on the backup process, see Docs: Backup, Restore, Migrate. +.. code:: sh + + cd ~/Persistent/securedrop + ./securedrop-admin setup + ./securedrop-admin backup + +Once the command is completed, you will find the backup files in the ``~/Persistent/securedrop/install_files/ansible-base`` directory. We recommend that you store those on an encrypted volume on a separate USB stick for safe keeping. For more information on the backup process, see :doc:`Backup, Restore, Migrate<../backup_and_restore>`. +.. _verify_ssh_access: + Verifying SSH access -------------------- -Check to see if you can still access the servers via SSH. To do this, start up your Admin Workstation (with persistent storage unlocked) and run the following commands. +Check to see if you can still access the servers via SSH. To do this, start up your *Admin Workstation* (with persistent storage unlocked) and run the following commands. + +.. code:: sh + + ssh app hostname # command output should be 'app' + ssh mon hostname # command output should be 'mon' + +If you are having trouble accessing the servers via SSH, try the following: -$ ssh app hostname -app -$ ssh mon hostname -mon + - creating a new Tor network circuit by disconnecting and reconnecting your Internet link, and repeating the check; + - running the ``./securedrop-admin tailsconfig`` command and repeating the check; + - verifying that the Source and Journalist Interfaces are available via their desktop shortcuts; + - verifying that the Application and Monitor servers are up; + - :ref:`contacting us ` for assistance. -If you are having trouble accessing the servers, try the following -Check if you have unlocked the persistent storage on your Admin Workstation -Check to see if they are turned on and connected to the network -Try to log into directly (by attaching a keyboard and display) -Contact us for assistance (see below). Upgrading Journalist Workstations -You should keep your Journalist Workstations up-to-date with the SecureDrop version in use on your Admin Workstations. You can check the SecureDrop code versions on a Journalist Workstation using the procedure described above. +--------------------------------- + +You should keep your *Journalist Workstations* in sync with the SecureDrop version in use on your *Admin Workstation*.. You can check the SecureDrop code versions on a *Journalist Workstation* using the procedure described above. + + - If your *Journalist Workstation* code version is 0.9.1 or later, you can upgrade it using the graphical updater. + - If its code version is later than 0.4 and earlier than 0.9.1, you can use the process described above for an *Admin Workstation* with the same code version to upgrade it. + - If its code version is less than 0.4, we recommend provisioning a new *Journalist Workstation* instead, after upgrading your *Admin Workstation*. + + +.. _contact_us: -If your Journalist Workstation code version is 0.9.1 or later, you can upgrade it using the graphical updater. -If its code version is between 0.4 and 0.9.0 inclusive, you can use the process described above for an Admin Workstation with the same code version to upgrade it. -If its code version is less than 0.4, we recommend provisioning a new Journalist Workstation instead, after upgrading your Admin Workstation. +Contact us +---------- -Questions and comments ----------------------- -If you have questions or comments regarding the coming upgrade to Ubuntu 16.04 or the preparatory procedure outlined above, please don't hesitate to reach out: +If you have questions or comments regarding the coming upgrade to Ubuntu 16.04 LTS or the preparatory procedure outlined above, please don't hesitate to reach out: -Via our Support Portal, if you are a member (membership is approved on a case-by-case basis); -Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously); -Via our community forums. + - via our `Support Portal `_, if you are a member (membership is approved on a case-by-case basis); + - via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously); + - via our `community forums `_. From 74cc5c61f7ea042f0bad8a2753b1fbd05125a423 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Tue, 22 Jan 2019 14:19:21 -0800 Subject: [PATCH 3/3] updated xenial prep instructions with review feedback --- docs/images/sdsource.png | Bin 0 -> 74045 bytes docs/upgrade/xenial_prep.rst | 15 +++++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 docs/images/sdsource.png diff --git a/docs/images/sdsource.png b/docs/images/sdsource.png new file mode 100644 index 0000000000000000000000000000000000000000..564c9fab63019dcea9ea595c5b6d3281fdd46c20 GIT binary patch literal 74045 zcmcG0WmH_jwk8%JxVt+9cXxLW?(XjH?i$?P65KUF2u^T!ch@<&@7{OsTJzSLnI8kI zo9Swt3wTV>BGFPHY7F-&)@S!|Hq! zq}-Bi*B=^H#njEj#Kb`s@W4ZOJ`Vi#A9@}usm0S}PF&}XpMH_Xb9&Cc9h}_Y`1lEI zEd1v8jemDq#eeCJ?L1DIwCv8Ew9dd|@b}5zyKsEDYqdVPp}4;Y?e^d7zxZ-A;q}2+ z=g*L`ecltzGd_7**U6baANWT`)EOt^J546t_90CKKy#+iV#yZuVt{Nw3Fp`pY5!F$r&jpZwe+M2tvfbiqGV0tZvSp6l`T;nO?1%P#qX@3tMUPm=q1(8-x$THAzRJDstqqA`XUdcu(beP#!+FM^ zFS>Wu>_aDV+&6z?wQ4A``+vCkyI+3ny&Qy|s~v^q8{9t|4Yd|peKVwTeje2%BU`nX z9gDtraTAz*9!^Ke8Zq!RJePIwdeP~Zek^L98FSw5-2QQsHxF&=&mb7l>TbwLoCvBf zLQ?>_VPr#$G%W8&K^jjjK?+`w(i+^cOHm^22)cL$j2sY-L%Ju4E?1wxDcntA@pmJUf z#FIYSRgvdAyJeZ^oLiRT*l;?rZP{=fQ>r__v z?hxmgdiRDuL76psqG%?Jx13*pAWcxg;+Z1EaIDR`>89HWxX(S{lr_0obau4sZqT!U z@nB6Ky)zR+qip9U`>;b!FY}_J9M3=GMyfJ}tt|_z^>=x@;1gj&WUySU1{< zX~Bvzt44R{iP#TMWk{8`4KDRJG$lv3U7(Km;Doj>Y4!xz@a5>ma&q{qccZPXez@^K z9eRR0U6X$qN|J9@IrX)eNVXkMOe@j&y2ckOv_HU2hg9S(Jwb|dHlY*4vFX?XCX@QbG59t&8%@Pkm9#Po_>g4X6jj(g?P=dbh=av8I#m8;qNM#fzNQ0cdq(V zZaWJqzcQ7EaP;ppdQAp9+#p%LZZHv4ZrgY#<3W}5t)dw{ME3kCD*vtKBFqDEAUz|< z$~CRB67UJ_+omn+8%_=74{i)1*Iu-TWBQ+Z?04Sw%c*@>u8+(a$9gc<1vL|IXdptE z^DaT^LfxW@)Q;jN0e^(QlTmD(dZ=OVyfQGHTIo;_WsnUit4k=d7LhUUex~a5PUl{J zw|s7+F*$$dG75?Qjl8UZZ2>9kY+i5uv`itAQ#lOw7&m31tv`k>VzQp-w?lX_cOdV` zfV6n%3Z8ABjRM-ekrubNqHt8U-zDNSdl)IDfj~zo4HMb1>Zxa2rz?So zBu_tA6>m&X%7U$X7Y7oT0j10fK9j9|I#^G;zFzZ~VF94;_GSQZ=$nKC5n z$eO|ce6_~CkP-6O0{JpiWP{Z>SPmw#*1&+^2fYJI>38+95x#cc@@Nql=-s0b7-j2x#7=2%sb+rP;o6Sb5c;pDQYJvui_RXmC?3Yj zy7Meq_2i*Y@S)b(P&9-O=%bk-n=KZ2?#~^Jhb03D6RVE|Gc%@PyKD-**;}PC(j9J_ zGlxfyAk9)P>Io+JTWBX}Y~hO!3Dm!}dCr5_P#KyC#~KQw6JU5BsqbobkFNlWXn!V zgu1E3q!(KWLySBbk_n#f|5Co%AM~m3;+nf4DWd)AZLJGqh@0|?dwTQ|Z94)am{O$% zxBN?j>!PuKgnuSepNhk07oIN0nYP+AN>S(F!NRYo5X#Wtf-wr=0sR#fZM!omB(>(8 zBVrZ_875X3H&o3+pm!i7fpPJ;2=Ijqoc7a>xGC6Ff_F@5pIG!mXjA*ROs`g`B*lia zzJm}TGvipJF;XcFz_R@wzGP=);YPC%vDg2^t`thSWQWHsO3<}Z7EFkHD3TxK;K`;pQ=dAzEaV`L!*oWF9@? zq{|4GX0E$-n7S$SB|Kc^MsZk^$}+sJ=V!=%0e@f&oV<;bu*;Y&4c2BOS(f-7tf2x< zh~F%Gh<8!_ktEDu&JOh#pFXh7L-IxV1zF8zf~{n^_st41X(mGJ&kgdlo?SnM90Lc) zOcV?TYha2wzvMT6x3{7RaN4;&#xmxV2~0m-e%;BQA# z==v%M!Sh3MrWNGR`mGK_NR+B;C(LvesA}x`aMjeHI0`4%HO>vjk>g=Qmn#KJu?qhF&P_BN=KqXfvUO zSXP%86U zD_Th6or5+m(NGoFp-a^1K$=D8!P~qO*Yd^6<=7C9p@mm(!@{Y!{P$TP>iUH63aP$f z>mPg?3YM&3hTZ*SEymrueL3%WkA!89!ru^Hc5>%>?Z?6#t@h32?`+Rcnqf+Bd*IyM(6!MO& zL^=3FdEX-u0?m87NwQAb=MnPgS2Kulko{u^ zQ@96+m29AN`c3oob{MhhQGNv@Nhe?rfMv;c?OYeb)D!zzRY3R-+@+V{BS9?n)mtP_xDWM(oO^q!T3zbVzOY?e@+^x>DSYu^q z6&TIvkJ8otv9sfp%oRaJw&;qUFc&ni|MrOL%2omrjRDKZFolzi-u)FTwH#Ua{4yO; zaVxIdqXh=bY>W$IFQn5+#zgiF!&i8&aVLEPRdt8W94q zo=yH&Y9pchOiAxuE1Ch@ISeNR+feCHA1ZL{Au%CRE_-!R!D6s5j;Y+rVgdSvqoSHt zsn6}2(XNKg=3<%Hp@HZm4^??mg)0e|hej--h8uknr_wOXS0J|ex2P3lS|yEVNVDag zA!ofchHa=8-opuZ;K70BVfABzQ0j7cz2gha$Gk;Y4lt_3@N#uqRlQI}Is-qW)!H%N zHFaf39!=q@pj42qjEPbTNMNr1fIjKt&j~OmBaw9`F-v-5+&7GAR7dOz9)KY%ev%fy zi~eLN3ef;5PyoTJuiH8Nx%Ugiz}85w&=iKYffimFyK^78b2rjvWZ7z`_oQRFcAn9N;5IJ|j~ z*1;yRbnp_)5Cj9I1Lc^t9_@vU;u~3JN?8a^1~z;%7g}QuGEe`fA1F+$l2GS3O|3k8 z1qF@zcdruTAF*lf0)xCquOm;_43gs(#RsE!SCmv$JL~GA{%$Q!1-VS729?uGlRSkG zfw%o%vZGa&D@qS0Pzmz&aolR~1xs4yNMG3TmqzoNBsil4Funxb9A}ikh;D^b+g6|& z94R{|LlX6tT8UtR8Od>Q$LTn;j65LwfU_oqL>Mw+CP%s1=Ev5Bm*3(Y7e+&vF@d@P%t%dx{P_jpO|Y5LXsF18VqZ&&cAa?$!;lp8iV|2KP)SK)$UTA!!z&89RGG6=WBOgP zvCOU|f{to3&ut9J)Uc2dc9C(Jsve{k=H&P-#8>7!F@5F<3iOOerdqQiR58QbQb~ zW8R1kcRvWJ`Hvv|>8j@X;LrGZibhH8>7}Ws%5@7z4Dc|FLbgo0&l1rNp|`>okF4}! zyDP?~(n~X7`NkBk(Ok16Sm?KSJ`tX!%}wTc`Cnyu`#wE49ks!%$|S(5hcE|Xqe@cV z2FfOe;$A{g4UMKCO;>B3@`|y;?eyRnA@+f;8rI4BN`Mo=%q&4uvliJ4`s*pVik7La zZYH#}YYtBC3VCXOYPO^#>22H!xhU5CQX;&KBA3D>v&`Rn2O8E3%^Rdp9`gBTXJBq9 zGww7_dgK%#@~7!Q(m$DEt(Zm1mUDcaYo1M;{7F^Rop^Lqvg^_BBci$|OpQZ>G0rLZ zDw~SypL~_DH8@42EX1HjM@5sk%xfI z(Ii%Fr+|^&((bXsrbZ`A~{dYw~OAw6=SAOgDhG^r7{zj;jk4Z;lJm`w2nQ= zB61Jc2`juS(ih(1zI`PsVqHo+#;r*+$?V0yTR%}zX~iFyhkX~eWY$e?TqZ~^W4HrSReemDPzLrp+~MLKRa@=5EX;cQLyG3 zn3KJCgx;<7qEJyLrxl1w?awPb27m4u?>Imr$LT&-oScWi7DX~K2b~JSW4xFpNfw>* zk`~iL-^DKZvT#sCI|6TkD;|%TPjl|5_|uGCb&57mOB1(Iibl_cN0-0JG!$;Ck^qE2 z4BUX;=r_oN$EIEB7Mx+>qM+DvzOZXR$Lgorm$~0V-z-XCIdzULYk~``ylFyktbAn^ z(}T|-J*QwELYWeAU~sxYc~VA6S_6Biy`}`$Tu@w#)r!jRdcR}Rv0XA9o=(>EaEP1u z*u}aCVLelVDY2+|+gv*|s(st%s6JPb_Ny_{)eedyC=v&E5*)PV=wsZB@9Ty7I_Eq& zLo_`A4TZdZK2^9XenUWKwR{rAy{fM)WOA_q5qE3(wN&r|y%?nE5{5HmC{R?wiY1vK zYrQcZ_QlE&A!3-9f~ceSI7BkC!N1)HqaV^;txFZGxi(3D^+l;cj4tNQ(Z|6{M7eNR zG5F}LJ~goPxq&u)EuN#NyZK>o*gseW!Czr^brlH%o%R%!nF`fkFN_3!*jS414W?fFZECVh?bWxCn9aesW5l#oWe)iFd7D`UMr7v6y0ySZaLVadNV)lL;+vK*^ zV#C(ysK|-G2`sWgJ&iuQi5Jp!wdMBSGa_Keo)E=4Ch_-Z<3_W*7)D}Q%>nWB^RiXi z{P0P$^EB@hLIm~jXv!69^F2*H6$z=kEut9cVS-TLCerT!|D|{R3x#6vnkkd>c$7D@ z1RR(szcV==Xe-oSLY+xi>qws7xni#n{KeU#SVlbPwYWz;uYI9)PtwD1UeIlitb6ud ztIzB{FXwXOEAO}7o<)Ws7MjFoYOLtL?Wwln3HxMCetZ$DRndHTyJ~szHGf!WJK73+ z*-xua7oy{smY5oTU*wNSV@4%22m>ds>FKu@WFVH@dMp%MlUVt^P)88pP*#FwLd94t zC%8H|tEM^WXr)_Z!R38uNJd1Q{iw-(mN4M)1wzV%~_or^YM7QCM2ur zZxEYxeA1S>SfkEWS|-Z-+F63U1oinBK@;~FNVp?pwAj$K2L@HcYr4FyzC33otTOGe z508#2ZRD+JcdW(Q$+Ly7RLlodg)?~@i6O8~Kun{l=szgx^sKJ>BXL-rR+BhQ<{78XEd@Depnn2j6m5B0drlfjipwIB2(~h)HKzK{F6!^{^t_!1 zLF$BFTx~@`EWFNPuov@xHa6mb_6F=EAjg%;lo)&ol2Acvin^Y(ulO}yOb-1E4f%(A zMieZ9pIv4`xHvM0Y->)DZ3FjARC_XmUIo3b7&^=)w z3#nD59)?xe$e1MzUI&$Pm{T2w&g4!4t36&lYU{AT)CWHXf zug>S>!e@P;SA{Y&<4N)65nbp4Dnc^Bj3VgdfL{*zy`9|+xjC@o21++su)@Y@0nx%` zrFbmZ4Mlo3>SaQiFoFvjbE8MlYx%9V zUj2&+`0IweR%#S|FXi%`sKRU~3G}}9MVv3ZABU9X%);YKc`ecT zZ1*<;KAXyQ=Ns}7&bOZ2Zwcw22O@NmWa2+l3g*^9I}56O8iG8_nLJou=2Ano)ZC36 zok!6+LnZP^ldU8mwovMT%(SX~t$fb!Eu1Al;1$hWnnsY|)2`~)5=Tc<=W8&cmOrzF zGBC6fFtHdRvd}7(C`JM)M_%TM>}%je<%;EqRy(oKnian&y<;b81aUh9k9hJ+yn0#m zR|{|dkg_jgzM$Ya{{UM}((js@meK_hE|5kt5~3g7*6ibNs#3YTJ(0wkwwC`vJ#p&1WEYslX-@Gl;FSKK`8(0 zGKysAf3*uke=h#VjldIG0?hy3E=h#`zqcm{(){!Lh5w^HQ1zc34fb#ZqXi;u``q;s zZlnq$3E%Sg`xtcVyo4Y*ohASCvjtzFiRD|?{iu>DI{wwe1kC?5n*T#@A^*`1R`IWC z5&!pSLjFB%;eWUPPaPrs+bsVvt$&;4KRWu4_J4QuAMO9{=zko@zdQQ>VgLWxBLAN8 ze^})IejwS-aLN$E&{r462GVdXYc3V{uS@CdikfRKdKa@JhTs{@j!4sq#2GPOTGejz ze$83gBBs~6IsMm-OF3^&{=k0whs~y+wymdF%uHwoAjwfMQKcR7KXnO(&mNUFRHV*C zdEJ{~I$lZ+_4sNYxpEUc-u;2lknL=-gX*|PzkTWop4oX^YD#|9gGGcTBkFaTAY56R z()L_Fm8X_*6t`V&jI^9BwVZso*icYcpXc(|xw^ViRaXad*zkS08bnnXd7wC$@${|z zJCX>NH$q7ptmwL)h|8&7`mx^>;0@CSgW}=L6kk%o+sLcm9dHTM`0U4u3Mx|TTK26b zYiitj_C%O>KG$b!1mGoQmh-u_t-d<%@PE^`QB`HTjW!m@H0I%XS#kDk=d-HYC`u_g z9B+3$X?;Gfdeig%czb9&Z$Bw^7}Pv);EafmFYE5k{i^Sqs%_V{*O~_VcYUV)>D#^V zqYqxfr)RFcepTT(w5^JUd}5;FBgl~lC9<|)PS<0NiQRa0SWlDk4NisEKf7>zI;@^U zU3be@5UeP-GdY^!)q6(;;jR4T&-bpEKIv&N^alb;6Xem$+Ady5NR61AIb@6;N8U>d zE)diVCrfLosVBhS_6fOVxTq$JjWrXut^*0AYQi&9LY?FJt`2~=(3zThbA^pFG(z5X+)dQZf{ucn|9tvLj_F;gm&xeHZt6(ED`6_ zi|!e};$Z1Gm*0jO)Q_c+-OrhDgxR7lqKsa_x%>O<2zy_z@8)%majSi~?O&90@8IVN zUJ?lGJ>jL}jr$K>l2A!MBYfXH_Xh$xd0#}ph zPgED!e^|;O$kEyEVyZb4wS@G7+*mHo{>0{ZNL6N9fI8Kt@OYtx#s>INLc& z#eedAkIag5Cn^DXGbT2R#ZHABJtS!m5J{Z*dDUx&9GLyzGwy6IN5sz#S0tq1kPte$ z!}7G$gn6HJF<`{xbkZ-Q$!Lxu!h#C@xjBE~s9qz6?56~y?Jvf2JumW1@SWFnbN9z| zF=b&0XY)8pS~8I2(SRiz-n|zb116{8@pKkPS#CpO(8D`!64Icy*X^xU#)BaGlVQ=& z`t9Z~k4JN~N!z51S+Q8R+$8zUyxOv+d2A`-Yej8k!g} z)rj|+?^)9V7NY?OF)?wqe$Tr7+s~ik1irUQKjR4%G&Ha?^+^(;$yWW(#EX89^4B*dV_-4^A-sSUVmVZP&Lg6Bm?50~A>V7=3`xU|%$K?52Vmh{V) z=n|Rqq@0{J)3>rbKdl$M;DVRun#V^E+nkNJb9X+!=0d91$DR09msvS7a&p544J=j* zqkDunQzj16mfd4vTWXLw{}WKl6OCg*+G`}4J`u7f{c_4gc+sG)^|Lm_}Lnor=NiEVW~#Jyj3n2e$TW}>4z%NSD_;&SUe_|+z91(1nt zI4i4$C%!yJ?zOs&9Jk~jJ4o7Yc-&_%EH?sv!Yag8pezqO7bZq1%;O5RAfz-Sx2t zH!e#=P90S^v#j@Uc0$K>x~|{b-|tTSz&lKalht?H&JH-xC}ViEB3C+ z3hVvZ*cTA0n#+6QuB&BODTO=wuWG3m4;YH7S~3pxp|HcIC@404M(j?rtE0RhJ$WkH z8(;w|XZjfF`n+IbN*1=x28?(wE$gUU&3`?EL4IV{l32#LIHdVtkxCrOo5W7amSfGY;1zLotGCa zJ#ZDH3|_;8hyCTVEq!e#>M9$-y00UW(Z<^uE`Z^WkBmpYR2Q~4KNU})P76G;FXXV8 zBLKV8X0cvKyV>XIdS~6t!lL}XwW%o;pU2JNq^8Acp`o<2sOgl8i|cm=Q*dD+NssOB z!NCuwJ?V9y8@c&v&4Imi{dMw`w*&uo^YqDy@o{nvj`WY0o)6=j{qf?mvKKo4n{f`! zMhoQ1$wd$z_w(H}ZM&_h0+GYJXZn@Sy)y6$+I;`2M(Niy^W?d@9LzHiTWHXGeJUEUAZ_bc|! z4{Pq$W6R6S9`8>Fqmz>hR(q2nsC>inyE=(~IcDM4C$T@AId(DP7ycx(WwB%cdM-i9 zP}9~HGzx3O$eG6UvaVt%WVITWvkO^Ch=!~~k*~f-+vbzz~ zx+*8Z0QP~l3nh7U>b=_qVNdOH`Pg1@MdWb%gkff#hl=k#Be1cxS{_yh{};{i)7EA~ znRP|ERdHcuVs!y{+Nin{Ac~bD$RV{rLb#XF8U)<t-}Z9!+?yXhDe9o=58_jy5WZCq3o%z5XHJpbFRifvbA zCCz#34g#G4;2JOUKA!U6@Hi9hP8Mze24}$PW^3qpHH4X*nAn#{x^6u;Oz6K#p71>X zTv}YrX!{)FW-7i>tUaazE$+5T`*W1wy+gBbM-9B9DdR|A4{)oPg zz!pkQNg2HG|L|V5<6!81Bnd|(oR72oQ>jL)*NK%cvqY=i4EJN{_c+JK?{s}XDXGYo zKS}@+BMQ7SR;kw*^@n^mF)^ukJJYH$b6IP5wORTeI+{%R&~E>*;V%%4$zXQA+O}*x zmdCoQ;X%|tB9ktwhUG_(0s7i5t4?+YB>)_yJ|hRTC|H=P zkxIZ+J#Gyv(-~ybuXGDkhfc>`eivv7`CJ6$C8DTI20&bThxNxGzV~%wqH3154c_l6 zfFyozem$uXm`N0ILQJ1EYO;PaBJBs8e0FCtGx@gh@O_Ok28@-p`TIk-Q4Os)oSblr z{Pgqn^RjQgBJ9_75VvCqv3EcH?v2h|z&|q^FH_aX@>n&4_FNRy7pub-;X5IuS)Rb* zr#So;^s2m5)$8tKwiRSW-V*YA)8X+$LOO_#D-8!prc^NN1-XbP0L<2=Pj|EvFW{%M za`sv@6$X#%0r-|CEs>U$8rzr6zF-hh35g$eYuv)ZodWx^-&iAOW|Y^xFZisitUR9f z(wj=lE_y!rA%j87W+V0L4(=B87pyLT#>Q{6lL8;v&(B^YBqWVHwsv;&_b0I&>zm)K zYe6?lv+Vi}7%u^Tf$5f$RQI zSkK3;@TLP`_jjq|W@Tspet&yWkRkeWBpGr0^J^}P&=t{P2NYU%Xg!zaKJTwC`qPtRSwJ!~xKWigvZVW4q8LT0$0%v;8P zT!ss5I&ju6*{FW~`oczz&tevHzqoUysG(8L_W>N&#$hQbDXrea%ax7y=3!%vPLBqR z5osBjr}vkOCR5<&bfrbXdwpTQ9lsB6bH%>rY$n|iIJ+sSsSUm_ZnZt{&$CVhtDXlr zesa~u#>SZ(_PO`39T(lR&sgqmE4D3`q}vn}6wJmy;d=HS*1hZISKR?@9Q;Xe#-XpM z=pa6E^A}L|{{o6A;>Xe49NUi*L1M1(F^eBuEBfi*kw0>!f1P;jtc~;D3t0dC`)a)s zzl*N!ZduDi#FV7J>QXTua<6J_cl4a+bMPLLMgVze+3?)6;67Evo&{buwzhNqo^On{ zeI8d5+%$XG&iASC`RDv>cTeoNZI|EIZgi-?K;OLhSsQjY%WJQ8;J9%?jV

_}pd$ zgtR(P#Eu#CWlOF0Y+GTB=LyTIM(Bu6fN%KRz&|}bX$fWv_;)v-E?d_P8C|`{rlq7@ z0(38D&V2kETh+>fFI11_53|^fUiPR$3pQtvmxqgs{fpu1KYm`k1UBs2=|X-!1FClC z)AP_p67lEXyAnwytmOE3WMpJ^08qYK*+A$Xca@02>MK_&dRC?H9``~d;FUBpqcHv% zW4QF)6o7%{I{W=2r>#(3sP-E=+?JKKoqPdIT^FTv=4&>~8L~X((HuNuq3bHt7`ffy!d#OmM9Do!+?d_#yM(d+B~0b8|!2Vdm<&Ojz>ar`yvF969N*iSmaxUxXWVzfyEO*ye39RF_>V2e$C9il1*e zQN&4^3o57RYs^!_02)S8F3uQio$nFHTQujxUv9>3i{t1h@!}F57UuLv?dw$^6rsh5 z8^PtChYJD?zLmB0OJ{6pDTNMwItHiv+42zJ5XM?I{A4sWHRGE+y1Bme?wjUVQS-uI_l_Wm!p zUR}9Wwe3-qc|J)6BH_7dH$?pW-DB2DN=kl{zEHf!XI@D#wws1S7jE@Bz470fEShaj_2${7mJc58hrZi){llXx?`v3QNRhhXdBW^NF1PQ05&z1*tVmo{ z2@OYknNw9!%1?<-j*gv|0FyplM*IBALs89Mu*Rjm!ggfGK!|*Rd0Q$je$a%~Vg+^E z2MAHNW=01hB4LOrxKqYA@OM|vpgMFH?A(pq+ZzRsc@pA&%&KBcEA^$Q;k}W&Dwc7v zcqb>}$>|mNCs!ATNakfB$Lk9W{dgyQpXJk}Q+=M~*uUx|4V9>L23HOahvg)GM=Kka zAoShkxck-MFZlf$aLzAm_PpqYg@xtS)pNp%`c|O$2vF|po@E%T;_(FIz|EpoRx}`h z)lQnRX#_nyTG#AEWP*c(GkM%=+0`b1P23M)wWM!X%f$!qVx%_^Jf4S< zPOmd#C>nEiZfg3)WrxOx`Xldie z;P40hzUSic_maX8z)qYg`N-9)+nJ#r00fsQy)RX~IGjBD{ilqk{RRLUmmdg}#vR`9 z$9{|o#z1!ITM#gjNqOgf)mS?#|89Pbv*V2qjR?zax^kW|0ZGI;@;ij--TBi`@$e)z z+9iA6J3OxDQ^NT92~lwf7BZGT`={(L!&jSi=050v-Xh@27Ttk+OgWnXaN#@K+ZkNWW-T8{NpX7dJ_ld;)O=p{&z7626fTxJ z-0Sog+ksfFkr5^#XU!S)iC82IudDQQea-ag{%qx~wB%?4;K$W`@2@wLZ&niVWo>ru z!XhGn=?@~`EfSC0>1H4l!6nZ*LQYn{TMWs{7U1+wZp__eUv{cUp@ZFF@+O?y?!&z| zy6FWHoljMBz8t_*5TjFG4Ik#b=ePa&S@0@-9c^u4c{A_RzG5vJe;0nDTfFVE=t!-o zbXHK=9JyGI1c?|!%EgcJV=4b_nXajHTW9~?ru+z*<32xelKS&HvncK5fV#9^By4S{I8cHwO#jGwoj-EypF$pa{=_LsHi~0z_QYHvjs19uJ-mguc-V&5B=1ekeQ@9(D?YOys`_=E*DyU# z3VKwWG0V&vbb{)a^%a{Nbm94+8D+ZcJX-B{(4nM0w^U1Z`JA= zb_7gy$Kv{BT+tl))${I8)4BZ>1BMbxXf#&&mCc!t8H#`R2{A?I+rD+Ft_r~ev)^q1q8@r~j3Nq1CKbYWo~P9W#3o>QEjL2t1UQXz z-#TcbW~}pupKcERih5fv+*cmF)mlx`S!GwM0F!1?;JZsigcI zfB9Mq(J4m(yi}trKDzTd!y@q9MXpx=V%L)ORnIfDy`39~-^AtR<1ku-f`hRI{CGJw zd|2Z7?y&$gUOxD^Z|NatV@m~ufB<-0b|gH!>d?jW30*NI4M0o!dmB7Fyw>7V{Kq3= zkEL83HW(bF4LdH6n}>hOH^5;4kuoJ69lV;_==k{FQCZ&nd=HQ`X&lDX_hB+LG+Z_i zvG2Ts1fp~bKoA9jKRh)xY$l@+b?ws?%Ep^~v!hMM?Tm0Ub6@30|52o z>fAc+oVdY3QE6#u5D!41g@%Cv!ozx_p(x|OUI&ho{2v=h4^k;!Vrbdwz(I*E9CkUl zd~EsvXS&-jZNLs(tf0CwGU}LOyHErxH&fC_R^vs-8%1`g&3ffQV&uIcrJ-nML^hg~ zf(FprQN6kl%4X$^opI6CVs{B>j5iR6T05|HU0=?5ZQLj^6>x-gT&NJrvI=Lk0H&D* zBz)-c1SGW=-2J3~jDCFGKP8l@sIcAt9vzQ40B=*N<$ur{D@jIKeZSHv(ELRAeQh4Pl3_<%I<%qGQ;YDz6nw^7=nQYLTO8vx2zi;Ipvg#J~h4}k8% zt_M}fnciN(zh1)ZcZQIsCzqU@oNlu{Bi3K>5KF+Xvsqy*jc%vyAa^!MRAN>=d2~?Q zzDvx`jvm-Q`48cBE$iDgE$f9qrmVP_EZ6Ipn$D!DvGMT_1^?4-a_9B0FUu)}eDH8{ z$m%`=>yfMrzWbTxBje+ylev6&ydDXAW9jZ4>!(XUfF8UX4?sadd4W8j))`y=9bc0M zZMAkw96%T54#HKxw#0+JKQHt+0qW_qZPfr>%W6LmEBVe(E&(U#21vkQ2LL)ljky2Q z_1>XNJD}l=a6x8&|4W=X>w+w*#wYq-Y2wh-W@nCh_kbNFe%jk*C+S?B-sw-@hsT?k0@t&}}~M8ei-7 z1ClpT?~k<`)+Ok7omc1k#(sK!O0MY-&(BuQ@^#}{9}geh`~_#++4KN7MziIebDuMN z9qe3q01vO8IS}t3(TiDY4+S^zO_RQVRvPa1Sl+KDTDs`%e{el+>o56S)t#z1t>3HX zcAZ^ZrKArWZD-jE5G=4tP}gj!!#^yhNqUy25oFTo$$5FRffUL&K$Z>)3d&%$MCti>yU1iT1OpsOXLIdEb{;0-mOWcRR^-(OzI{dM9~6pa9W6hUx#(Cl9SvK3`r@y`|3h2?dLxie8E7xUM2^W>!< zFtVTFESzjN6^A|7U6!Y!v!Q9olA9E$AUDiFu@myM4%{hq|H{x?}0k_8dYX%Na=n4&rK9JaOy z0Gv9v)}vI7$BrFc!WO;-4oru^q^PqiDJv;B`EUl$Y)eMO_L|HTsgPy-Eg#u_y_%6> zP}0yC=?jMP1ajU@3kTy_3p<@$4u+M>js+-Kp__(u(XX zA+)J)`xq&IoEUq+tgB$dX9I`NxGBXccyVNH%PXa&Oi9J|nu^K9nOOO9Gs+cZ#qAkC zeJ=Z3al*+lG&pF`paIZ(AkF49&bDyb3yz3{jZGa&N|q4i94?_IbQdSSXw;;nqqo6t zRSOp1~2oeS2yb`D=UvaJ4a}9Xx#fRybD19OL>5tje>+3v%=ye z3JU};jEsdN?llr-0OIU_)a86G-e!ej6}&6w)TIY%ETX;~bLnV^MgIw$JsR9`eEAdc zybzb$!2*U4U%HMnTln1zh|49VVklVX!ZJpX0J#K0<-h8CfXU5bimo*_E>lz2?MN!I z$*Duhhl97Q{1JiXYtT}Tz=?q=8Kzh;BV&o55f{;rjTN+Kl_M?y~%69AI@A9L-7r0p2s(NK~S z;|ncmVr^b@;Cy|FaKjXRL1B((h;Z{svuDx0*g0o+ZVs-PJ?f1VHnhYyO}&GYj3FT> zP6CP&Dwxo>d6^l>!&dCtRlVO&WpK-@?UI6!ft3bqi3+QlU$||7SZMku77cAdabs@Y zw7w7(zR-8;%Hz^Qb=3~ht_3RoxbMtu$I)9+ary`y4ia2E7__Soa8D;pM7gn33rakv zF5C`nXxC9zR5Uf@Y}8Spk%@z%VJH?%g$pMW(heBHw>f%cJAwN8asZ?BK5?tJ)(=FB z0-S_V7Q3y{a--$)&D+aEa%!sU^2QfnSbnIYYCyCwwpUQm7JGdx4kK+O~V|;eJw8-l|J*>W1mofts}zIktBXsS*zrz7{rMIk4Bb<=COjU00)K0=mO|!1=8DW!fy{S+ETl8VA=i_ zK%BKT{h|Lv5rV|$z=;QBm{s)kC#&kZe*pmNv`*-3ZT*Fz=arez?~xe5k^F)J(C8sy zKpX%xLgb#;JqBzZx9V&>6v>aS;POhZtbKOYCS|=pl2T&$uCX1J)r%>~%BbP9KD!oU_vP}26$fvf3_3HTB4bHu96?c0 zGVYvi!n7Yz$1a<0)OggDrNxDD#gEWQJERfO2;@|~F@5>z$;uIaW-jVh@nb+Ohs~o^ z4_XpX(bo5TcT!PTC$P67CndGj{c=8=J3Kge8@)3=F<}OHDl{~-$F6liesFVRUs_tK z)@e(EBJ@f4D^AEGeJ=ip6H*;AbDv&Z6&G_Q9olmRs!+CF+Lk58`MTtsd78KGJuGZ& zN*dbGTgGq|UEAfGLeB^fa^A#*rjMphZav^2R}nDfV&Uih{83cX?YlH2jf|HOEn9e4 zaeDB;YhB|8n23s&(lDUzB<+v@iV-jwGPY9TTX2r?tp3ZsNWZ%AEVe)(l{huE_$%4} zt$2aISW_gq?W!FX)PZ~L^}PZS_>|#K(;~ndLB>}q>u8OI$-MwcO$dY4a@JB=JXs)0 z2D00}T;zaJ2<6K<#@;i>#VHgeac@~US{$i*l7Q+dK*bOeCzl) zJFsLPt2Ep>AFG9xmCf!pclV>W6Ytx;wS_^)@DVh`saT$oo7W-2ogMok$?5e>K3*IXzm{yh`Z*;P@tA4E6xKLQbaRvR=#R>zc zKmvk0I4^u4bta3KJQ1~0OGHYi-VH(goC$EDu(o#A*&T3R^ZEP8oy1G*`Xr>Cdi$wVd#l$esoMb|^)LK>}RP$5-uNr~(K z;_EAbs@&GUK?MW}=>`F5r9)a8k&xJQBi-Gg(kMp?^6^6lqT14Yp}3}4e8{wy@v5@ls>P^%@a zM4!ne%+GVEo};Bo`feAJeD8Jf!4YrYafHsygcOYzs!Ytss+p0$o1S-6&A)5UrlUK6 zwiE~otLH-%)U}267057Gq7r5Dve`$@peT|@aB^fC{AB33%8H6h3Wh{-fCv-*Y<$Km zZZ6~hrlWN!y5sN;;Z-W1x`)-@I+X3a?#iY%E8VL6$gYhGa8|<;K3;qJ3>oeP-RR&3 zex#m^3IjFR_LG`~ymas}V>h}xqk~TrqqD&2e}0c-Foq93rskt9z)i37P8#B?mN`?zZ2SQdq`cb zN?-@B)3kOEV8w5BY)nn{rc1T=0T&NDU7GFTq!j@fa9Q`p+N-rd=Mtp)f)N3cHLqy zHm&`vQNqbeAh|h(y3`ASNME`)se-Z&1G@!g<*W7{whbf)pJmTe1UDQJ6m&x#$>l#w z7+9nZbM|A7>_nw;y$9u(tyR|H@4&L%Y;lZ93h*+Wu`x2$>jj#t*q{6 zra;g}%x%36i0RI?lXA~L_Dn5jiU6(2TkKi1?LgBY07UjH^-8~I%*|iHMud&KiaI)S zV9Nu5h_uQ1z+m*7Fq}4`yH>3wp>b6b5Ev$b;;dNQQe0TL0&cJ|;8tZ4Sw4q_p#qss z@nl#j7@&awj>YZw$JYhmbdY?O4Um8hfFHgDGu~ve>gj&fh(V2pdbu7vkdOeH-vNvS zRjwxnZ8U}diXzJA*=~*=?ri|2Uw_g~Y-VY>4wVMlW z-5A^7-!EuYmzDJe=u^xtJHS*A#zPUtY@xdyd7v3Fou9gK#OG7dv$n8UyE$r`PIvL# z5_z=ahAjdfDLCG38w)MU6%`hx-WfgSJRbrDf+?X`AT#aHi(PW*Cd5~`<+B=QW@dm) zKrgOAPAS1{>X=VeD@KDjZlAlKxeJ73U2>g6AUNWIW2SG*pyaZdY5hHyr#Ch%5FSA3 zm>CJ2uUSbe-+o)i0nW7dk0t z`}K1ABB(r@+p_hD{#D`RPt(9uU!yr*Q6y?GHf51tok8VmdY<7kt%Jufm9Fb^cV1mx zU2eA~0g&9;HlH>;IZzNfwlaK5OXeF8omPJOhmr6^$H(JoXlPXH%`OTIw|d>YvHb=N17sF7U)}^rs{q3V9_j!9OKL8?FJ?_NUflHv-M51=4n7Eswm{sX zL6-t%<=oudX26wCOiUbu1N*dT`7YuaQ~kHQrPG26!yY!1;Z(ALeZaA=!FcvO8#f@Q zRIB_LTRc?cJY9SN>T7PxNC_A!h7l0DIK4;s zFnE=1f`Q#TGJ}vDn+AbdtnEtZ&XoPZrtK~spx)z9 zXw5XQ$VU@^Ug0eA&aEG*i%X=o5V!+SM)&F+2Nj`SvN*gC(x>7aJLddvhH8#{^B zFhDnB7$%%bnf3zDxU;)k5dzt0@%|Hrbpxn2i^zPLq*YbXrz{>9mR3!BQzdIIZ8wX^ zakJ6X?{7D;v;pi2WKJ2i@{$oGJeddgw_8F-r_S8g3$ADGMC2oA+zY?zN_4>{^Zs1T zeE(;}rxJ)fOO|aE6|n%jj7}vH_EjiWNd}RVm+|uiUyua2FAb9YvuWC$hvXpz1!g~2 z99QjmBIShalaUyC<0F23pWX|4iqUC0y5ihaSU~rJ)`hRD3(2g4E2~Ivl$eDei~tq! z%>A)@3(&Mj%H@kHI2O1{?m9JUxh?>)9($2_PGO&fg99U13bqS5;!|D?raOxl6mgIg!>>TKS%_3=KlXDOxbg^k<-nhRu zv!J4-&7Zf@b{rGe{`tM^T@1~i#r)iy98*A|bNwcLVg@Rlw=Xh%$j{ZT(3*{#%Z#gP zHFo2{V~^75y}sVwH}10Mg$?{Ys!H1F*y9I<+%RWc!XS^*JBj31z&`t8FMx*^BhaMMkg<2R88J@YP zO|927t*JteNhb=05TFq$bG~jH$|~GgmXG*m&=%0j6MXZF_s0=?J>x*a@a9v$t7bAGO^VJe&$Wbl7;G68~BI`qtgs zZ!9{5$b8Q#R)zC}x^^U(69dksU(CsJP``Ww$H|o1?i-+}fhT3C^q4CJt!|!=w#bKx zpZAkOk5HPNaQ<{AwC0j=a_0k%&7YZlIe^W-Rw0$hCd(EM?91se;L_(HtO?C=2_bBY z+)j{n=eyS9sI49w{b+RrIzaS_+V z_1?(XSlks`UIiQ*cCED41KpzSGZNCVv#jR_-mZl(}9K#5rfh(o^^TN0x*AA{osv8j3%47(p?LhNSM@2DC z0EBLSs(gJhmdark%@s6SYc+rD%CBwC&TX@_kN-{X@{9sVw~RXi&_1~c4lCJ3LUqxI zIHXd@OhA9F&F~a3vB8Vh3D}Jp(Ys0P&UH@;$ol(3W*aPsm#vq2?;kf66czp0ajXqw zI3_K~2W)~fexmXuA9eWrLAM?Y78aJYj3Y@f@?$AEIVyVAIKQixY~x4{?VX{7?Cz8m ztS1LU%s7sqW0C{l*Xl{VJHK&S*0*U7$#W}n^PGbEuXjinrg?k_Wd3q?@xY^_gNlI1 z0Ch~E0taVPK}iWzzym%DD>JeDZRDrG98vuZS{K>Pp{Nj;(+MgxGIVeD)Fae?WCZ&%^C?%P`?pS>}qX7(Eh{P?!z@_H#6zB zrh=WK41swFVBQqXhsM29C>bD;C$;Rla6Lgc33t1z+C~ZJe?Y~+rpMC}p|Z)*uAUwk z3zUAbrv4vB8VBGEa0{+$;rsxL2UrkHuUG+G3qSa-#sF%#i!TLwq8g$eK<7n#`}P9h zs9^TpPFP+9L+2p*{V`HWm`%e5UMq+fMMNj*1vBa&Fo6K7_cyV>n$(Ls?%ZpC#{7YI z3U-2!N!(7co~Yz#IrILvls~D)h{Ig@550+H_yXCE_F83aylm?ELBo&uGXFUtrntB` zp^;H8M_n}#1eux@_H0xdRy;A}LNee;j-0|PW+>WiF*|kTPn4y}%FYUklz&M>6Y=ZY zFX;WVwG#vd46YR4DHT2|E|Z&YkY9YX#SBztD0Uj2Cr(@vzUeEzF;7uh^sTCtRK{#o z9yS?@h}?`f5CO>63D6}m@h3nI2+$2297vVX76n6b%K89yR)*{UhwHpO^o7aQVEr_Z z35Emp#hmLR0uhz&UR|Vo8J%0QLEOpRfB5rJKaBy-uC0R@W!E`@k8H@L= zYuohJNXB2x9UQO+)(FN4#P!U^1M6VM{TZ$I-Jb5_B{L@&OK0`RFjAmzMQ2&(#?|ru)BST9kNevTFR_DY zSqOxhjxMpf8ue!f6@3{Ua7Mz{X?B55s3C1z3;k@)GjA!%i4+|ndrZpI^i@<8rkJES zHWpThoXaL67w?ow{UWLGgfQs+2R1|?CuSiBnj(r+44pe*)Kfd%0mSHBO_{Q{0w>1p z$)ff0^gP?AGOn%T$<0)<1YkSyTHN!lnI!>4sAcO_!WkxRR$FLj=o%P*ft*lB4@^F{ z;68D1aDX})6drDLdv)?kqq?`uxmr|A>S5Hip3}Kp-I^B0|7rNdR+O0jCQR zucb!D=QnDkATFp-MH#xOp;td zQ}ex}BL`533uMQ^^;mR;-~wCM2^a*cY?cLOXt1dyBR&E$S_{mA&Bs5V%{AhMipyQx z$9`2VEajon_^x8D)3OW?2a&@FlR`4R(jj*4XLxLY8MK7y z%H?lrjvRdgo^N3#4ET2$j2*V=x~?F^Gifs*I0PK^xi>PsLo*Y~g6_b_fh>YQ2!REq zr9i=&R6XGsjivMy9o-Bg&%7?POb8JOvgEzgU%|iZq>%225J3YcvXY?A+07OynFB)&eIqGjk7?bFM(sS}v&l%Y@3`23V^xQnGz7 zcs5>zSY=P{0%#r+$F$pk)qrK&1Fa^1V>Sr? zA1%O|t4HzVdA-04xU+z9B{|^CYB`deHvW$-esu!WR%4*W(;y$SC~JuafJO$;LO35S z4Z${|)gnyo3*hqineSfUw!-J-!{sP7w@;W`Q7}I|kAvXi;BUnw@1o_kw^PuC$PwQb zv>`#$BUHQQ3k6?sB>s4NR6&61?$|T)z)mD4z~CGhqf+b>zFl!4YX1JOi~zZ^nHe=5 zpF1Z!Cas`F>-_rqM82cussVSP@m>KUuY^ay(I3H=xa;^y8g!K^7VL45jo5hf7o42F zetsXnJo1Hy?D@JgJ%JuZKooEWX+&>YFJoR56}{PK0)pS_8lG}KtpYOStiM74?)re} zjF8)!1m?xb@V=%8ya3pE&oMD!8uLVM8#1AXKO?M3GKy-z$sCNJgpf8&yiSxtWLm+c zq@yljAj0+-iWv1gLF(<>7rQ)IG9KSwAJ7UbLm(vR_$5|LQ4XZ&stNXSFa8QJ81n)6 z^$FOGr{Md&K0sRX857;}F;6bYOUlY}3kyGo^s_}{D@n=9(ozT_SIuUfGaod!IONuz zSt2NWuzRzhrrE-og&z2@s_gqwM0`LIBm zt8_26=Ek81YVFf2w)$2z@5BH5Q(Y$rO5Eq?H5}aB3Mx7x_KGM;JEGvU=`rPSDr7wv zq57S^!?J7JXlmgEaKshc`do>B3DYazLiDMu7AziGC3}2#6Qd6LJM!VP@)xr@{rBPuj@ypE>>FSWN@iw6 z^f=|X;`qDw121_Q5Lech@UYY57#IhDOEJ4X=j%l5=Nt?Yv5#ULK+RXz)n4Y zjtori-(NdhI!k&$wZxxg7Zo`pXaDajvL`z8A3n`P4@~xSX{v!Kb zVsrXe{j^kGEWq$eN%;y37j*Oo_}$kYEC)P64E2lFNBmi^>K%wD#&;bo{rq3r`&s*h zb)Axqg0!~RYXpC{9E`!2R9;UhDD(@8kbv7^qvekN`#GMN02xL}3A%>H9LzWpDLxke z{@>TwMrxlhw#d$@4oXgDKneNXCqpiyVUCzdpEqlzz%0Pkr&`){@V$~W5dny$* z6XwM=wblpnRyOBL8dfJj;OO46TT)QcGCg(STyZ{!$BpBk^~v(lqem1J9&EGhNgJuB zH->DYG)XV9r9Sx`K_fHR*tb$Io0l(B`}ntRnDVt`I*tO_1D52Njf`MNwchf*fDBVo zcYQ?+IJRgAPz?yW>2aa=>{;5Bb4$T>9r7QzpUNNR&_%iViHji!KYs%I@>6~z(8ZBs zDcBa--_N!yP(yNchAmAaXShFu{F0gmbHbM(AR?=PR#rw-yi>({?;IPI zNMQ?y_cf-%->>wX0#}ZaH9XEvxe+;~tSaVrcJ9QKio@}-H+Z?+dRG!;WaKB0J{R;w z1iY6qOgEh7%}h&!pPS>|Ilg}S&uI$e|?EC zq<)L_FDbfwBHlrr7d67Nvkfqv%)5yRWyP<$ojJkK-Vw&1<~3MPpBRu?ly6ODc;4Iz z&&_#OyIehe@`a$gf?BJwEQ441C)0mk@adPQh0minNuj7i5%USXXf=rv5uuNyx1BUK z88i0hhoUM)ad0CHf3NSXZ{g~XRj=VeTiLQGFegQ|9r!%2Zre-4EFUNt*ckqPIm(=$ zA2R7)(&if)j4#bSN-QXH9`EG9TS8~Pxj0%e6(tmuJf`7+r zW^>fJHQf}S!sA3acT-QZ$h{{Rpz@zJ^!y3txPqwI63z!mcx)_3bhM(aQA1%#>9^Lr zWH}oT)8H7vPG#hjrQmc?AuLk@#G#?^{cBfZ$$oTJeJ$h|8d+*+oWI$ZQluLJ6*VzF zUJ=4EIo&r@=IM%mEZU-GdcO3FS|7274`%5oKk`YOQaOkOUV8u1=_B()h6x*s(h}Mx6xA zJ;dR)xlL^@p>w-kTNtUoOB=xN{N#&ia>ziObRIit(~xw&&|7V7Y}uifDkx>{f0q@n zG%J;Lo?}c#ENGBolzIp4m6V)fL3Wy_pp7M~z`M2g9rGM@92HhKfw5#fy`9KPbV+Y; z13PBptT+2#NrIk`Nb)VictQzF-g({f-@Q9%e1 zwKJ`#3@&vnlv5U4UQ{3@h0FH%mtdYudixA3c7@u0b+zlx_L=_nN?3u2>(B@2{_E@x zK8cBaqNAd(X>r1RIU?QRebhXCWV{K-r*H^tY>J8O4v#{z$}KKeq$E@c(zF_1;y-nw z_wh1BgL6*lMtD{QZ+eO7=HfsKXGX7rmllWoDSvh(j}#5=Bkz8yKnL<$Cofv^1G6XJ zUeE?7#f-zhQJftJUCS_V?rT zwzTl&PA*iOXlZcZrQYRrp#Ko6jSE@&)myXSzQ4%{8^60CyhlK@wplNXZzCJu$oM);ns)Ls#`PVDT~_5^v~( zvwX-2?$=<3JI&+ib*6?ZHnS>+zh_7M41S&Oe82gI_bK+}v-g|l(BR}>5c`teBo`L!!08=wARU$xc$Py&MPo2NIT$zD=FGym z+E|d59Apx_65tEXdGbDk74B;9n&HnEoF~Er3{X}i_S^#7h3cBR(@C4!J1J_uyqffHtWgHiFhpP^a_!{<+S zB0Xw%z7_#@O-Et_Gv)fC>o!|i;-Qql4SjzTeyS3TJxK(Ik`8{P$wzO2oqug&u zk2&0T3rk;Rk10i#?wKY}jdY51@VzfFOHNE&--{)A6E6$)a`Ij(vK4+ZqwdPd&DSF`p2lKFxs%Vs;dKcWr{dv(hd`PR zXkq0k`*9Q~@IO-v!qEMm?mSHxSNn~N#{ivBfW!@cCt)LDBHFbm;CJ^kmKUJu985${ zNDLSV7QFw(7TQCdr7zAcf{jN_Gnd3_g{nl0zvh@{u=@?^e6)U=U~AN?cG<9pO9Ao$ zf&hURWfK3lk6=B}l;M=^O4IxVjg!^3qK0fpg0zb--koP+)D<`PD{J&UQ;vixnBmPB zS9kEhn@V`2pznUEaDH$~Fo-FlV zMgmb474#a;IOW*5@ujJ-tb&4Myy(|iO|$94iwd&r-_u%7ZhX~VF<|#>v0HRMv0osh zlQzv8Y!5OWv=U(;!qxrfa>b;?Wp18Bk8c7>4J+n)nTY}!855F=vXvnunb{?{5a0egrfXiT%PVE4ZMwc z>7rXT5k`^c+>};8+>#j?Y<~7#ew*ga8A5I~JGwQ?DvUJ!8{Fl#gAaBAB zn>HpzSIWqZK28#2?eq^w)cGWRXWUu5(H8M+%D|KIEDWwQ}K8eYTiqRDlpQR{b z=tq9ysrG6r(J159yU@56RM2Jxyi-v@tTGNW`dQD9wa@hkp0tfDnMV~8{9df1qEdqs z2LTm|D(jg;oG;e;PZ9J}CSX+r=rP(kC&$F(*NtH+_JQy`v+YJQC9xYECFn~6)UUCz zGJO-X>-Z75XUF*ykT~oKUj+kqHtG_OTGeSM$HgBzQbyMktTOcUH1uN;LeD#oFr4}7 zK6JCk2L+6G=@C$@RI72IF8;Dr=e)rn5f|2K>)+3Mz8?09?e!;KP-j&{m=GW~mc}H;{+!rxFnvuVDy~jn!-*SZxmwu!l_=ny zh6WpZUYP!P=Oe)VB0oX(ynoC5?y#;@d(nXtBF>H4-)}M7aKo}8X@UIYOF?poesX=P zncAyl$60VT{MChlr}{!4%E9Q)BIN~U(eU$+#v5NXSpv=+B`2IK){7X0iKrd(%=8Fo z=*6t*V0;)w|Y`tX<|cvBP1XlI2}1zq+h4W z($shofHCjH(a`(v*4@^WZa1jORDX4KmqzC|g*D0X%$=ooY}|KZQaLI{RmxhJH5fVg zZkT^wd;jMH`oL@`9pcXw=wz8IlyV>1 z5|H2ZzZB^BoSzwA6vCEFM9e~I;ZXER+QZ`6jnM2ncL;(TLRWp|f?5flOg3W;0Ui|d zrL}%kttpX_q{Yl}JK64DiUJNbWmbie&W`HOe|Fz<3IS1VjAz^D!BBHNpGG5=ODHT;kh?`$TZLML< zonx>Wm~CX!-L=$taBw22Ucb(^@KT~uZ0_4hV>uwhmsJuaTqa18|KCA%wer>Dj!{n+!-;P(7BQN%QP)t|Uq7JQFIaA5@jzd3X>9WMR3#G5f>GaN5lCkxH#~4r~(A6e0^O1zN9k1LJl@Fc4k61 z!MpJDlag>^F(}#-h65)rXiE6eoF7F5-UVsUX%Kyx!XEK~hQqppn<)-|l-$`~YicJfO+vmq3 zte+@+5HT<($gB}d;s5wX>*LmXO#0yu^C}Dm!#Qmkz{PNvJ< zXq=V{1v0yjivfXD%zigbCUPKE`ge~@a$>$y{xOOs0|g94`1(3dYLYd0zhjPx)dSO> zQBjNFqU3kY#Mw{2D+cu1sYm`K>)+$u6H{Jc!48oqs)13lbrMC)kUlWOV;mphkb8>Q`lHx?I zWD&yAoE)9qn>v++p&Vy=U*~qEi3HH<*%m)GIJ}d6-(y~Lo-!NOq8#?QlvwYJLBzh1 z?)89cvN0WBa>Ck2nJB(WXS0#U04-%p<-cJCF{zQK)Zutk9Z!QzG~5yC3(cwnC!NTqxaA5W5b{&UCk2z5>-~kNfV3tqf-=!AeEgl|ZCY3nOmijV3Z_U;S`axAR zJD;rVQcYDy7Wx$Nc0w64Ixzz}({M({!0I#9?<$%TtRC?WGV8IJ{4J4$RXWD1w^;is zl~rs6N~!Pd6uA1{ArnZv8smURz{c)iVg2Y?_%|{IR`v;4wFMy}0qijo)u>uY*5($B zX4aNJw$8JN-9NroXd97)h!cW4`-Z)$5A>|k<{Ar0f<}Hl0~|xW^&e6eL!eRpi3Z$j zAr9}}zej|I^@m9ye=qz-hvGi^4Z0OcBKa>wGZspyDdsU8X0gp%RJ022S9H4E`H9TqX}l%^6HD0ZVg3C? zt<(tRx5(i!{)ucvf_YhVu6$m=bf8Z_lbqLoPXFKHmOUvxq=UVEhBKz~zIK~8xoBn3 zF(&>nCwCSGNe#)Ox$^N+YJ1^A4r*=a9=|bPHI@Lsoa}eJXL2SC{s^;SukF|Da|7AZ zVLhD(N=X(SL4dHf7yCKd>)z3Su}9K0N+LW8_Lm|(AL%(FSjkv99Z6-Owv7upxjd%U z7h>^#Cr<7jvS;jbPZ(ciCFcQsri{K0-dfK_bW+l1aR_oZeb!1nV~8{eOqA@mFg@B1 z(^!VkaQ(Mw9v>^nyK2_qZ6Te(#=1!*tkVT=!2ynV74*U#^kiZIS1<^b6(81)^d^j# ze@fo0IPBRm>s#Mw1RZk%N!{b($uFhEPnzO;cV5RDNA8<%KR_Uv9rJzpfebtv3d{+) z|6LRjI*kKHqN1-GGuOcJ6rcWiDE(7b(b%10Fted~%^aBWK(`Pbzw*QS{Wp&(Cr3K| zmte$tBbY%S6WTjq2O20*N}>smkEu5UA!OKR5$NPM=&@BcK0JcDaFDpLg8#lzI{cNF zj(Kt9_`<|na10OblPE&j%I7Sj&RGCvS*mVaqC(u@CY~7Z*(@T0DSw6ci7#)LxHXMj zFD)lEvi3C6>%Txqr{v_hH?H*|cNt{4qM%g%JH+^9`90~K-pS1?O5N;694BQ;O`6Tg zQ*CGPXH=4`xdty+iooW{H5PO%OkZr8M+bA#DQz>} z8BqFk%w@TawXEafs*OAUULGM;u2-MZoA+A>ruqGQfOCQmWXCqiO96P^cNGgQ1KwoA zsp&S4o|hc@QThZxf1m_e%RH0fEeQmh{(LD@wYKRIU^>`_o(5vtCnJ_GAK0q>SCH{z5Pgg$YfKV#P;E6x%JCPI(N&m)#1bNMyk(Y?3!Q? z_TqzMmWijl_@ab8f8gE%lE=cBqilNL0x+5YOO2RL0?p&HKLeKaB;w%iW&vvre5NR1}^F>i5*`g@~X650O5ugOTtl`u;`fhBf zzEkluymRvrP8&|fQPIf(dFN!(`L1T}KY8#^Kc=8gtx(+d3##O?@E zMtDp)4?uW}f|#}Sb0v9!uFav8KO4+Ggs11Wc9s2@6u5{u*s{nvAekH_4i$R0aU;3Qd)t1^lgFN}K7%pcjUGse?*dX=8%}jIOL8KR1`OgJVn? zS6t~jZ0AF;>Gbb1(_{pQg2cOAPPa<5#OnVNnpCWpdq|# zC1a9P;i1eCX;UjvVbc0ds0`VFisk}BW*e(*J4|bkCrC~W^f=t8fyyySXmh)!A=(?$+%@&Lc$q2j2+|%BnzF&p-OHY1fw0ZE@ zlr9hXRan!6IaOVswEa3ox(Pp8^`};F3Uvz8a*@b551*ugaLV4*&Q6!{F&7PzFZ^*^ z^7g?P4*R${L>8)_XgSlIfksaDtLXg}tD6DS(lDG&>kX@>OT0v@B$FCPT$OPI1t<0A z&3JS!>p!vKDHvyNUT726C!GW$hU=WmD`GXQjyHsn$As5GM?6w4qGC-=x?>;R-?iN@G3r#zmDaWz z{jh+%5yX3~(FvR|lt8eGAv6fmaPE4yfQF0-gw@>M9gSHzolmMdoNX%zUj2IPDM$_r z?}XV>feB%KbJKp&X&R=qlu$vE0%lK;W%LV}p(04uK)j*B&BXx-{mdOXg>r-klDP-v zr@MzlM4$tE+)to!i=00|{MOu@3PKw0$w3?`)6mcm%<%-AS;q%9K797~z-V#{{wtLC zFgHO*8mM7`o=9xkiOlm@SjY239K=Y|y?V6{WQSYBd`J7I&4>)#c!0GgzuT6Cc`2KL zUk0Qn#-yh5>&>3TLe$m!WVshRLF~K~Na@>5v58>dOLyMy0|tT~V7clUPU9PMN=srl z`3>Zw72wK+YYI#E7VLURn?b^kqqDR9m^l8)g2M<1xq$=D_*=wFy+lbf)4TbdG;%-h3gHZm3cc) z*Bc((5-53r2LW&fWVN1uSo_p2Gg8Sf@$%goq{HvyuBtUhng! zOZtA73d^x-K{6dPPp1t^28(1@gQ30K{n?t>_({8tnoud}>aLSx3)>r?>Qk1rp2l}_ zytM%pU0JMlsVN8KSX{nVtX6U~cXMX;6Rmqj$7iHhA{= z)Vh55FA5z?gOrcW#>bW~Cge6O`4VK9V zLJbQ`1TKCJ?44JFY*dvJ4TK*+MAr|jX+MDVOIBT-Q0QiM#Pxb7zX9mn<*#nNFPoM@ zBqGdr?FKe0EOifL#OSS`+Ia10k_dVxaxc01$_w4a!dz?f)=l9cyao3YGf0?jzPp$Q zW+|}?Gi&Qj@FuJ8b+57Dgl<TyWEE%}v3@bP|7<>$*ygDp)5qKhvfGiNCk0cEb%XvTCEMpXrHbIw`hC^@}69qiD zKp5Re5S#*Y+kp%kV8IlsZ>ty)kQ5Pl1dFn5yF0K^Z}S$YTXMHhw%-EjDHK9N8Nf+* zd|u|0=JO}PM}MO~PRqWJ8WwmBY;GqdHeR9K-AgTrFe%os;Eg4?W&YE9MnKuEPzLfm zaaB{1LRQ{x3@3A1s2w3-DrV}E5bgj=YRaCfPG6n%Et_uhZ#J3;@=#+S5PoF*GTWGp z9jcG11VIZm6WGYju(y3611;Iu*wR$ZGAk>m?CIH_jyaZ>x3*B0Z=xYA*pqf*p4l3|yrl2?xf5E+Wv4L*}vzzjLqIdWY5QwSW0;_6)p~)X~<8_5hHdm#;fv%(t7?j z!?ij{+h0;`N18`x^%+*<;Jmk(Wf55x^0}T@x!5n;j;kP|0~=^XO8&5})vKoOt<_Y_ zRIS|7gRM|{H`kPlQJ3aiv*oz|c*SMs#3}1z~afl*zZmE@Dxi7rlGh zm%?Ul0v;GZ?SbD23Kuq^YHC-?o(oX?zI7;0SbkVG#@e6qKI%E#K;Nig=#0-99i{RI zIXE1$q1U&t1XrL61u?i>yMgs1TWg`Zx0JwH3lmkZf~4dPShzH>;=;6mz(4EHX)*Qd z@(C7zFBlDc$40 z*{^~n!C!f{*7uVYdp+$CGZgp z^}vY)i|$$eGwiaxzyEQ$)r+-k#nzq%K!#0=Wao`7EnYv~^k8>bC@M$^#0N47^NS+it}OjTn#r1Q%Xzy`KAz=)k(VTS?NF@b@@=p)uHF=3VU1N! zyv&p7H{9W&e#Pg4Qk91neIVUIx#&0|)z3)ejx4IHUe*|(vMW%c<>WnEvn}~9=#1X}4TOH(P7i$0 zE&lln)>(uwmi___OGxu&zR+E8D06G#_wV1OT!tNnd1%esKx7u|Fa&yMxq@2|xq1;z z9N7as5(J^dQLl7Byx05qS1aI=27BHI3f+DN{!ut!iUR-K)W*hSXFOM-2bNF=!vAwh zOPLNG4s@(_f#RC(_YpRIlZU#;WkBQTNGcEe?&UzU+v%!xPkL-@EDMMe1}o*Sm{#B+ z^~<6IMj6r+E87-6JZ2q|b9XT4Jb45U)*ZpQ&bqLUs_K&35hph{#x+q0?eIyb?TdgL z9fDxch$!K@h9bDA&?L#xQm^&cU#M5jRR5t8TxgBy-<^}XgqFLa<#LFVGxN(Sw;%20 zWVQwX8Y`LKDYGv!HECuanF5(Jj6$<<^Ga(X?Ak|GY0SxYu92pn(VU*KEVnh&|LqHc zr~|baNwnPO0g>bkBO>bJG7b(%F|?Z}TWvl#SXdt0*XPcN zSrX=*$BDIG>A^s`rbLuHTl`R z*&Q2OIXWMO|6x2CQ7kCxFZ6u>RIprKbUJF8yhYX{FmjMUeNGMayoLcao!GkmGwk_` z2BIq{D|f=OT|fm#d%lCRXDfDz4!n?X-)hb~jg91FWWxSj@(h9*6Ba8u19Dq|0$z_r ziiIGjpn$IOFSkO=!8jGWeL4y#Cg5rF zD5{8hi9Qp|5TeZL44Sn~Ee3(s$r4!tFSD?_joE8iuw7IdZ?7;TQZCTReLOs9Vc$u^ z%6QDL^fxx16_nTn^9UY^T?)C@2W+Y^gTq5nXGa*Sd_h(acFmeGL#2c_Z0Ro)dH$VY zs)N8Gs1+%IO-EGLL=}G?-@8h1({fP2pZ?IjlhDv3vKA$@V1%6Cs_f6PC~+}oBk{Ig z_ei%_2}(ydEMQky7#=q60LRjc=TDD;2Uu_y$z!C#Yvq;k)v20K@%-GJ+;%fR83rtd z5w>^JT$VBm3Z6DCE-{M!H9LVY^^+-0o3W*(2(#oUb&ZZid0rSeW*ML z*!t3A_qfyFkb{qMC?&X%Y`*-Nx^Wm2BDdgpaPvCwECJ8a%@8uIG7J=+mlpBzm?LmQA-z&Bj2&T}Y1{ z#wd6Z+p+}hXY^V8qEE1HoR2YZPgCwSjhQFUq<6jkNN~v`Rxja&@)SoVvBbxVc^2_M zOuSz3MEsfLxH`Hoes>6YF5|BA$lti4Awg?^u2xx`nlbv+ezu>-Z zA#p(zUi<-_aR#4ygQjf}-&hq+BfL)$?P(`28^H=E<2tK(36KI&tXgKg+8I1^ z;0&I0lgrT|wF)eqvCQWVnDl?6fV_rCss8WkRps*s`^#+^gM))Q59cIGe2Ml*l7B~US~E-6KVmq$I&vJo*VcQW`+$<6S^FfPiX%P9T3aEoa$)8u zu&X-ey3t%3x7BI!Z9tPZLylpATx6>*ggi)+H2fxe`F`Ve+R*e#5T=Quq>sv`|~mY z7Mz0IhAQJBA~498j`lzH>mIw?KnQ2qZVrbcXhEbQ6tNlrvz>h3oVL?kz zFgKsedg9!RZ11t_=DVoHOAzk61<=laP^O;neulG0pU)~Q4 z?-+PJ`|Q2;TF*1*eC8Yj2qwuXI-Cxx1xIV&F#Yei-T31Z>SWla$F{LA4_9-BLp&~T z($!ee#u@VSEmv9|9bnGWrgY|8md3@Mgkatpi{TxVX>J#q){Jf=SZ$nu<={Itp$?G0 zLksR|*xlu&xi+Q#Et~$&LwVy^+5iR*gEL4&3Mavt;Q6C2z-AgS)hr=lJvJ zTZ4v&-qEr|BA154_?xQS4wbBxh;TDbF~>Tv?sY{*4&bwC`AlY(9cp8gmMpRsO<&7) z96DG9EVy z(BW=yFmwPvX)$wiTB!L9h%eQjE*WWZ0+9*Uz=Aajr1G3>^k;>gfbE^?_kTJO?iOt#$GrGXDvXOHzHR=e`Iy^M`mG|JzfE{sWLIOfiI(~ z7#|JBHv?__K&Aker2LqGp5Br>T4GbDhEzAH`$s2ZnhlP#s`3a84r?JsJV_!Y+6ggn zQj}TzTN@c0_g^<2q_3QslOeyRH?LQ+qqil21PdoQOiCMC?q!T){hs!? zgZwPm-62$G+FN$(&=A%FicDbh)D5)_0PPw%*2OEKIXU*kWr?VF`0oHW|G{b1F$n%7 zkVXfb_c3Zt$bO=a6kb?LC~PdyZ+d|m_Vlx z`XS=^Se)K~pb+@1rwxOjOvH(?Xj8)`GmpauU%sbkr(79BFpAt4-*E7_jsWFKH2L}m z_o8I2`wJepp;te0a(qE42WCW=`%AI?nEbwEa?EgN*=#M-I6#O$@^tALz0j$hsl9%JOG-_Z0_(_i zfA=tnLi(B{1`N+dgCB)w@AfHP0R>2Af^<4}WagdvP!eOThuLg*!{f|ATZe(|O}$|! z%OI1xJwNG(r;3M{{J?-VDlY0{ua7!es7>_N5D^QI$YT5-*-wVds64vwS*4<(By9!} zU;MR=VY%@x@{+S9iGc|9@$EgtaGl57pt2^wYtoQ>)Iw*hRy|j`k90Vd|BDH6(*L3U z;EyHZbB$~9-m;I4Coohe2qA2iuXKbvn%)bG_lJWS71@;#R0Y!Ra`tx+M7zN%RhHb? zbw)c~x;l%Ope*`YKqXQ8mway*`{V+(|Bqk@p@UOU!f03&w$F`*TMJ5LarqVmqdwKrt|AFgk1FY9|P^w@Irh|1_m$~{Hc8q`_zLveKIAj82)X7J)Hc#}nKsiiO$_8RrYi{LK5 zl9!3HDP1AGFG47RIFALjP$;-lXn3Tz{`uT}7?ar1-=2!F=smdyc+-cE(p6 zGM_j$xI^@~QPlV5D+)?1)Ipi@F^B7?Si?G9Mn+6FChro%(2Fo>KfH}0LhJ;OHRW_T z^^H@pF%@{bdoL}t+60zcl3Xm+hPot-eiT4T@}O*17Xq0O{uUsdj`vG7u$}IQmzz>- zHl==3Pp9;UA2h)?47Q^j+;Ic+diXjx_sE-ze$C%OtM{B5D>BL~d@nvNsVBaK+aF40 z5!@|Jx?U!y>#Zytdlz&hv`aQ0$DUrtKRUcXS#Tq*QEv&c?wWnF07yL>qtKP2L_MfL zzsJt#tig>NvAWT5XNJkW#&zRP6B6iaoN(X$Sq_~}ojcT}r76X~*@4Aj*%>Z9k*{pI ze4kZ9{T8lWl!S>Xn(*-o5;@JA9`15b=ilD`2^ivo;_Ggl?;g$bBT>1OxHvp;&R3bR zhMskxea3Ryx8-yKb}4mtC;ejL;+Z))F93c5+U`N%79$8wUBD_qEwhu7l6u_1a6bU< z-qg%X0rVNHC+_nJ1@PUVj1aJh>gnkLqq?y+!#wd|TgLqkrEUPa=mk1GR3W*UW;d6X zc|w%q&R?0CUKrHMK*=l!eEy)|d@UG4xE=g{QDnq@9O9d6e1DL&%L(m2pd1g7i$l{+ zL1dpGK8f;ecZHUNZj}&s*{&Ekb3y9gJ9_$XV8)*-lMY3!{ThdkW5!b*mff&GD-Y5^ z=65TEf-#TNLHZwX8v>@2SHRwKx^{u1UogYoj`_)Dtv61WM4chqtse zrLiq9ejna~i~s>(Pzmm+u5;2fknu1FBaJgq4A^~eFl3DGt`idzZ#AsYPRbSiY1OWN zTvsQV7y~)fx{t_G3Ps1Ny=o7-R-wTuZK~rrSOar2fPmrnvc2*z0i%Zv3tdL!>B`4@ z9;GCt9G*&A?C}P{xySKUgio!mNrB2t`nT_LqlEwTa8bUm>%(frSCfO^(K3awG}9)N zS37+|W{Y+{%MaHuPcYM1KrV?!XAAGON8{1%x$D}^Y5ry9N#1nzkDu^-wQJ?PHHSwx z{*{eCEUfPPgkYx1jP8)}3RZKKMj?S+A^E<0v!B~49-G1@Vg#FA&y6xyT>!_E!sS8i z;b_j3vvCfX(Lts7A%STm-m5>_>E>9&?p_RI|5WRz>5u)1b zwE!ubHG^6T45ag=gRI0r@Ss2w`FO7N2uuj5RRD1@IXMY+b>zPK?Txy9H&xRt1gd^$ zG6SF{LEzs%1PmCar)$_Nf7)*jKt1q3x}FzmZFoFvc|3udAgF*GMzAu0J>o8iT1)^2 zTV5n@Oha%>WOD}IZj2;BZLWct-L^ZX&vvnr>NLE-WTnoF5fN4x|%B^Y^Cu;o+n?FnI6hL zsrFD8w&o`b#*z#QFc>ahTa2S$3Zc#4qN1YOTSKY$7JPV&Ma9J%0H#_2c9`oaHbYN8t-%Ec z1p!Lio67QsV|V+u?Fn%85ZSK)OX>+UM)vL)0%a(HC8B{~8t}*ahu;udFEYCAZqOR` z$6TCWbu4KC=2U4O4^Gf7NV!PmX{!$$S}l0){*^<=aWEMrwP49W7rWfs{WQDjN?FV1 zwuz?FTN6RYK-aFIggJB8a&>9Y64G5RT_CyN$t-UyTpMK+P?13l4|o;@nQb+3k_<`v zW4nEW^G>>khm9VJ81?Jq%Tx_gelk?9>l^)`f;SMs&0OO9vfXA__4`{c;*O(8*hSiT zbz?i)`P}Y#bi&AEcw?M0y;$He4@ar#*BpRPReh$>-!>wPj*s?)o0zETjM;9p;G4L; z{0vb!#tk?L^3yz)5=ZQs-jD?UsMVFI#ssT>|Be->yr^_JgvNyddQusHI}3(dBC{Dz zw}$hYno_|#0X{q!lXmBP30OEf2Yvz>i!Bh4#hcg6+kEH+a)!vHk~*R0vpbW8*MG9Y zWzl_sa~0&DPe*55XmFr^VzW6A=$e+0;HX})MIgiNGPJn^jjH+N5s!?={?WyS3j{WV z&KVxBc0mI@>g($h_PG-7{Z4M?%k*BlxA0NLb;xZw_Jiv7ADdZp^dlf%K!;xJ;;>wC{?Ip0-S+S28(=Adm4_X7wyy{}L?xVPX73Nn6D4V}FQ z2#-EsT7aJA4VqaLDu!R^bC*BVhI2Wo~<@=dpu z3n}yt+eO4^@9ymX7@1f={hU~DadfIxtk>KAW^?#0L`cGDWMZss&aPpmtYOcmhA`-U ztvJi!`$2oztLNvuYsqm@Pkg$ox`{b@rCt0>KhJv4f|rPD<@hVIKgrI0NXUre{?t_4 zpzzWu`xC&RHMu9-YDu_)tY+@B5dn}+3Y-rF7_h;pk#KoDj84rwGfL}=I|ZSgX{0RCKdo6<;U zXJ-e*ckC!Z+Vzu}$L!)VjN}s)`Xf*Vt+RO*Qg0^me~_hasF2^ze4o3)1Q?mL<1N~(2ZJ56f1{fK3XJB}pfgpWixFx) zUjRe64Ie*tKEOj^&ia1&GKqnYyGKHnP%c`=I|lBFwLq_;TCNWVwZH`TZf5^NQ#H#I z+>TXX&9ec13_$74eKDg41zmxNrE|av$^I5CR7XMK4_8?h$<0%B0f7$67TEU17^quo zg54pVz~a0E!)@xHbF5ugnfLa`DK6{+e6k!+$6RQB3Y4G)Q5?MCd=FO()y&BQ9 zq5v@F-T53B%DVe?v)V2aF}C?}QS%(=fiX>nlB=2MKh84LrFV7+emW7!sqXFb>3<#s zHsCJ`Dj%J7rbeWvIqn$DU#__&q1>OnpfoULqkv09Ae5Hb>IMz zCn_eb4I~lZ)$jL1LD9Aigp7)#RODhr#;*|pKm{Y6%TzQwyQ~fdErFvdB1WI9>jj;% z`-2%(A+ELldx%}g-T-s+Mb4=TkOBdSP(PczY@I3kDa9^M%g*^tubolEhIkIqFvstU zbRJ92LJun>lMol{UmJF|H{lIokLgWp;o*h#CvGjbDM_SC#%VMXC-1{g0?0!WjmBRS zMfiMtWAWqk&peyd@&cmN7SCAf^g_Jfv=|+n7=f)tl=OFIG3;kPvjf<;zZknuiF%`0 zh86M)hGq}LaTG~o^?Q4WlFy|EL<%@N(uPJK_Ny+w^iCf;rbJsT%Tlz@9}=v3g$AoC zDv2BV`A21%HM`!cx?TiL5?(h-3>9uZKKKv!dB0DI0&btsbW_lJTpj^iD`=i0RGkNm z-iJZ`71n`z{!F#WnFX352$jx3jmUxMHaUvplaSC0aY_RBE1jg|WT&-Iw%YC7WR)`A z7eKFv<_tMlYD$JOlE5D+Z(?c+nCJsTzatoJM?xLY8bS3p(6ChS5xfV-P%VL+IBK9^ zZZ^^uz$5|ac)fJl3<2iF{UCY(iYQ7`WF9I)_et}b#csa)aXu(fH3}{ka2+#1hNN}f z_c`~jalQEo8S_IFu;||eA@?6ZFT>_>)j>D|vRPYhCQFa5U7_`Aayh5W1+Ui4SbXip zoGG+oB-d|B{ZrvUMMBrm?&F(3zmZv48(~^f>tn-Kw6Tq)xw*ZiwP~fnqpgPxUwkc! zc38XIEDxL85jef8`;bDcOh=hlNddfOJU?}P;|+R^!R!8Tw`cDqpi{DB3!BJ`vd9Bt z=B|fQ+E~YCJ)ouOnr_NkylKjoDq=-3fU9;nK2NB>(l{1wdl)vvo91f4wN<3mI=j1R zQ&bmBp0+4$=$AaKRTb9KaIWj_`glcM;&1ZhYFuG{=2vcz#IROSHOrtm&mDxsa%2j1 z(f?$V>t*djUzO{=#MbGNo?4iTYl`jgL*T-p;4b?K=gV+rnflOl_hUEc_0@iT@jycl z<1GLT7g7QSxF)yY+VeXB11tf0L{PSa(%%=VR0LUZAe548Sq#qx9A!5Bv^7@1Q4sCb z^IA}XQ_|6G29l>;iC%_nx!<*+xI^_UgP=`;f_tD125K`4Z6GOdJ!-oeo(Gr-H0`c6 z-2IHC8Hlj-l0ex?zX^5|nf0qXU^G4iRZoI`$O(`X;o#x}gAM{KSD?%CbIXm=5cjDh z(2CUoMCj=D9vr*pXoN7A3pO&DS|G=wr@wzKGnh_X@HDmWRQRGxaL(dA-*vAH^wh9? zys+Hf*#ViTULbA$*7Z18D`gD26rg)seo4t@>Eli5HL$d2Ctcf&nZo(v8t5bThVTQ7 zw>OADKG~BfJzhUeHvVb`Yo3K}?3+K8G&aUTli&eMP=ivuFPDkcYFm3$k3W!4p?`j& z8iV=b$XT7y^k?lRJla-R1HpCA^cCOZtx{vP0UC`iaWyJ*&VBz?9%=hpTIM?~x&au;|*D~mICBs9bxW>2j0Z9`$3^g%+=J^EVVg)eQ zTJ;U}c01Dt`YI;eQ3*@FzG>9lRE)FPl}cYL4<1_SHPTwm-_pu0tHa1)4*Dr!`E5ci zNAc|ReOXcu>5kQ^T|)v};diDuWqIYKV936psbBy+As1b|_gJPGNX2b(<2R15P5_zr zNm=G&uf432M&{@H!NoxDWp=h8jy@j1#_}m;s(>KX6-oe|07?lO#11Xcq3S*8pT<@z zm4eUnk0O0RzK{0Qz=ww$iS(^Pc&7stOD2YMW za`(;HivM{&Q3$!DhBUd2k*eTn|%=qwWpW6JNoiMTs7Ri@%HOWz*_zJ;;VQF~f zk<0eZLdgGrQ!DcP>^eFHRo!dW6(+N93a|#ZZoK`k_esJP6qcoob-q_j)9H-fz4^ez zZB4I<`acsSFU8lqoX1auznG>VznnzaI&HFaOFdY6+Gv6G)PwBHu3#(i|Aq=9;M-#m z6as{SGv1;jPuk33xyXM*C4%605E{v753K(Nv%!6HEo%So_s`oR$o@{82}dO-_k$g! zU+J@k@9M<^inq>~Yp zj0@lda0SEyaLmJQSsn(Vi2OD-r#}53FwRk*L!b0N069ZftvVevQ%)XeXAa#jxd1%^ zl9I{6cJbKV^03H8<44lLH9vpn_N+ z)q4V#h5K0+VPtCRAOJG1?+-oxiCda(zNqSKvTWFAg?`vKkQgEN`7;E?<4OSNw0WD) zi!DjRtT|Kf05xW0WfcLwV=OSdje<&2hac~T(dhaWCq!QRg!_#hOSysBs=T)j3+DmM z;J?Ph8V+g?vRiI*R|yOZ48S@o2lW1vo0}U7ur-6Xkqmqvqt)7$>*SUdC>i&=%^Os5 z(NI+@P>_QHQTU13ydhA_0t^SJ&U--nSY93ly$RN#(7o~>3A%=c1|l-Dyt?{8%UyrV zKiYZgftu!XTIl6-a)RhAbr5SHr>Qvv)&H_@0_FQA*tPWmsSTl(pg>QGx_RYwG`b|A z3pFxsR!?z|uq;r{+U1wgNq5VM8aNT6dHotx{syFLZ8@2lYS_(y*T){p>Y z7r;y9JJr+|x>P|zMx>|@_`7A`%hL4g0tku{Ql#0G1fC9PTqCZ`069(x0e53;b{5WR zp7%jVP@u4E4V4iJ!~a0&<_JzsVZPTHwe-ZhJb3q3CfrO zy`_+W0V!1O+-C>l`LXXXF){H8A|m3*_&C$f(i4y`_2lg0f{eGnr$>~7EDZ*q-9k0D zoY#vefavd+%}rSUbLHMb_#JATJ2f>W_Xu!5l#f971Fcg;!titsmzva}!KuJ|7if-o ztcy!ZN@8x$&d;9$LzCFoh1L>ADPdt@mAdxa-PHYxQ(&eOHT&PM(k`YyTW$bc@-7aS zW!&8#etP5@f7_d31dK%ryV1kl_1!8~OY4f&`-{wHULnj5FS{?VdLA9 zv$*iT01g9A70}Wq%Q}UBj>|6!CwfIJ`tO{-PqZj_D{B_*aUaiQ9y@{ItS}gr0LjwY zK-2;iCp^^#3kdoJpm8=i)zxuHNjUCD-h@wpSfIYM3TogCeVfKcMq0rKTpx#f3;{x{Cdt*cpIS7XD+6C$ zXlfD=+ycTn1+*w^$M^sL@+Z+sm0Uh9zX048@~~_-)aNUeLSxOZycqB~l*XDp($t4XR9PZ~oW3LN*`7Zi)ZWa9%``)c;$1;IXB@D);}pUtZ08H8qVEe*Ju90xcVC z!kKI9DJsW@tLfo)7WJ`w8rQ4oGSlS<x-mYK{M~m^vkC3S@WTZE5CY@@ zk62fgayi-0b9#-eW2GeRBD@);J zKHFiQmu29T8AG8D^qIF9It?K3U_p3wk3J{*-@;zQGhk zNlht@s!P(PY-7rGE;YC}XY)M^lJsYvP;~!^znHZx=_}<0czJ%pacZoSj2&g?y`QK z=JV@Yn+y)h9CUe1+jB6Lm6w@%pUf9HJLhF68ws#@(~}WP5o%oSxP=tZ$H&J`06`uZ&; z-BI+~aO;|NnA4zWXJ&Clcv@QTgwTo=_En>WD*^f2w*-;`H1~gZ4`U+Hswr@-Cl3d1 z+{b%{OAFQBC25+7B!l{FWK=fK+?8omd%CtPeh)CkMW!c5D+_X8p5WfyM3Vo(#SVaP z=*2)Zpor1=Hafd|-Tios@k})_3mE|!sqFGMD#3lfMB~krGEVZmY%ZhUzSzont*RnR zGN`LMx~r(cxE@5Zyw#+bLq!1sgYpn*&Sjrr?ozwTC^_DSRodh=tlXAt;VDE(dklV)ZXV8SGs!@ZfVd+=FvH+sgqHh1m}BdrU4-yW8^TEwh%+&_J6 zK7Bx4a&HNswnH5ma16$myG#eN$a7 zPwS}Z*O=ndWQ^tbgA!i(c7U!12(N;Q_t9wI`K|n@eo&dHvU~2`MpSC%{AnO>~z4C@l7|T^X6%n{GYI{9Z z9kY3_0IB+noKYW=pbop@O8c|Xk%g`~j0#G+SMQ(emG2(5Y6oaD_5Ynyj&tAWTfK}JsF$jQbIC3_$)<5ZeuCi$Lt`PJG+7~ zxlv?t&N^oq5M|;0x3TR?3{<&K zPjDCRE3`%@Cz0l)DQ|!ETNX%U%l{a$b+|m42reC4oQEtg-M!cxEWmCq1-?)4;|!TD zSZj1uf{RjFPt96og^3eFJDByhDA0xb9z+EwnQ=r0o?({;8w<`)=_KXfDv=XSR8_yl z!O?}3@G#?<<~CIX4_nkHwBIeriGah#I0^fwPx2pqS#eL;Je$fF*xTD3x0_lXFZ5f!Mnuj@Db+(eSm%j~zQ*E#NK4E@B$SG7;IZCSr=o|4niF->l3BeHC{d>YQzkXUj6!npMa%B!nIVqdP> zg-?ga+{|)PVJZv-r<#N>P!}j>;*(Dh9H+nAaV}&LH=X0;bUNF{a@z6z{0Fzp!M@Up zv&=o9W}9L*E6dY{(11o+d~|B5f3xOdbRMg-yglo}A7GKRa69+AS*$h8e3n||Cu}f=_ z>V(_T#+KZRz=GVzYVRplT63Pg8Mm0~q2{wSgQ87*@>rQ~i{{0FKK?TW?noLuFeh<;I}T}l{+rcZ zOY)1m9Gk$$d?{5Ak zKTW^lY*@IsN^xrPbz(i=6HD@o?%Mm6fQ!&yy}fgg^Puw5yKUqcsYYy#=F9YzC;|Q9 z&-U{6N{2Ir>5;TmWHq&AX{(;@a$>#eRAU@{gR7q2q4r%6mqUozmhl?A$Bbn^AsS{Q z#&eQ{G7-W=0z0I)62au`qJb;R(+|6t5i!TAHl;{abFgmrGi1!g zwTIdgNo`rU4n>%_vf5#6X;!K=okb^O)!N01eZVJ{iUT`hiq)?}%wE}0ykrnY#3T!X zYqHQh@t+ppdn%Q5jC?|_cfl-%y7efB{!QZ^k75T?vQ}P2p-apNz=gc`cL{&w6nocI z^zp5viAm8b$SHpkQiVh9&#bZh?)EbLH6D)mI{PGvkDH4T8z?x-v=52`5#*8RY7p`| z7){c%#QWNCj*M0q24dVf4_X}(z)>HaxY9P2^x(+=N#c~h5F>j|{lomvHp1v6)A!+B zoJU^9cq8BT^z9s?8 zzO{fqDbKVU9hqB_kg@d8O}7=lrS{cH!YeV?*$! z`pjsi)}Aynpv%jtf?fUd@IyzH+$4i8XR)kLJF1s}02-Zl|AuZy62<@prT7VslvKRe z2bDVgr<&nh@6e_Km_;=mYF(ai_eB*#VR2SNs9aEH{ndZ-e;OjD-#~sQDAlMb{|-s@Ta|X zOz1Q}Ndv^Ui|&lCd=&m70E{nZpFaAOnq$MKPxt#xDh*K46TK<>`gLcuYuaIaZV6W^ z=ffv$96w^+SwvWYtmii>1`Y|*hB52b7jsnK%9&pIl7L}EAF!Q}dvTMBbcAxzoSo(5 z{t{alpUT42i22ZSbgd$%(dNgr+12>$W*ZkU_uX>MhERW{%K{uf@IngDV4*)J`t9 zC0~6Ov*#e(%4KFQtGABPU(Qm_3+rymPkWD?Ac#|I_H|_MzWMuB@%4*TFJtXWkl%{i zZ2v*l^)Hem@A5`K3NKwdlb9&Qi0}7YJ|qPbl`m)ts5WFZaPMKfv&KdRHL6%p`^9kt zwn={HhEYd*CFG1(v(V*vFYJW~){SGz5Naus6K2G;Z+u%FK8wKb`ADhq!2=f5b0f=q z5u3cDE+`0&f5A-l7tf7@OhnhZ;g9jcOlF+le&*pk$2ndjueW4Wok&1NiysGdOmu|I zn%4AGhXGqmWVr~d=9JvDLdwWPPxK`1ado9`NpYm;a{)?#iEESFzb~MyPw!v`fSu#Q z0cD|o*oH~jzKWB1s19~*3i3$ya8QBB0RoREl7a&KY<0KnXj2-zZ}C2(NF+fa;{-M* zJLP3a&_Jt8T`8tRp3MHMKEZCt_ zh_}84I)z_#4@%H;byjU9C0)o}WTmG#^TW5gIqcJ7*J6xsRK?a@1QfiV=2K1%AEy++ z9ka*oYyXTPYR<1SR+^ji>z$H7B@8aJm+SUXW}aZ*{@negLCoc_>`Z%L+DU#tKhs4W zW0d!^*fSP4$Tl3D=D#;_Wju6Ek!mmD!2jZCosD<<(s5yZV_jA~VYpsNg0g2gb*51* z@=d_kv1jW(f(B9B)V6<`R{Z;crG#Txej=eow33eYK?$l~B*of+;XC zvKXK4oI3XQ9IXuZWjn8Miw7a_#d<4*Sp4nZh`i3w6yK9{W=#2zuxczeF)&f>NRAV6 zMZ^-H$qNmxD@vW6O}xtA?iv$OkT`x-p40V0kv>6!h&uYCG8xBHz86j$>(B21IA;$1HU-c?&Xeiu@z00GNc7o}3M9~lw#1fS35cQGKk z^3rb=ad~rKF!c^1{|*n7FP)AKfOp+_MdubZ*DEQ$LLy0?E%WbM^ck0qxT*NCy}d6( zZN;3_=El@kRPx7Wqf>E#MH%TPOL^g=sO>Hx2_`()@<1mG#H~* zHw=u)uk*e{;K%ZAZ&0x9^p5Z`d~`9wYWpoacgV!#>d14TAdN@51&=?enWysg=hvGY z#%H)NuM9$(m)DRIHsI^{a&--fIsfe(?hJICvFdicPFIa-#uS_))a6%8E2G5BN=4F;zCX6Z!MtHR=+p)OG6z;vaAPg?S0JnT z@w*iTbMEV4!OYAvHV;Ry&1(CS#w+!>fpq^49qB*@MBh)14;KwtB{?h!xlj9u@Q^E< zXLVB)tcDdP&l#O8jTQ>nVpr8o2g6VR$#u}QJumr|MwLB2cu13t_JwhIYe;v=7`9*J z)U$$U!R@okh@F+W8CLAxIvvPREOox^-)D22V1F$*r0D?rS;Li%LQk?R*Bp1g`p=)e z)ng;g)g>+7&h&H---EPfN({AX^So;#o%y7UjFCKx@?sW7og4-|uTEyEPb;9*P?HO3 znzm^?lrADPt277c8dBrj#T}Gxh&c=)e-3$gU<7GQ@kTlBsnD=ej~8nFjDN&r7P>s? zC+JsV`+_2-`u=ZC2C1xwFf=ec(rUIss`ks%a*l0l(`KG2A=tn98KY~((9^)hmz`6b znj5D~$Mskg!;`4M#~3aiTHAV6nNdad2D#$Vigvj94mQqUbY!BP+R_3)YcTUM1^JZZ zunwPg@vL&u@-4;~rpBV%9@m7Rf&_{{1_Re6K~6)S$KKC2zxMraKcWQpZSy4@4xikj zu#JvQNl@Uebhw?Lp*%+$?(X4C%njrlr?yo6yS^q+v&AW?`oynyarq?V`02v=DiZy2 zG12XHzok%#zr%yK&c2{P;kjT2_Xv8Bsx&)3mCjqsj?Y52Icp`WSfO219c*Uc=)cD-3mP`zK&rNbE@NHfP(4~h)qaJEd0AGHib|M$wR z%NQ#v6L3qG1XaZtAFsEJX3I?J=c=*a_OS2;%C!aD)vPeL#diwV_Oxi<*jJHN5Q>YQf>*jdD*MI!V=L z5Tuw0m52QzqR~8FjVgDk>6@!7yd);YVY_PgHj@-xY@!R4^4u+>kJzvSB@_`gMStHJ z6Sy&UfajIe9^o0rVV(jgY*QR!%ieLQL*SPJ+FQURFs1YM4>2()YK85?vv#PW^vLp}aJr z(BRj3<848t2t9pg(EBO!c=D!rAOCd)bLh8~7wszy{-)t4J?ZJB?982?OCAxy7ECT5 zp!hVWZ3;(#lDK*>Z`6Qo)+=SwP5DFKcvpGXDTieT&H~+ZAhI7LFI#}hMI{nl zj>wn!^BKKGX8fy0x~Y;B@9Ev3&^noBO=o=#c1?{|27E_#KAM9@hi(1(&N2RFKj^hhLE7dyXIpNpB^t! zy-bK!+rg$FeCC~lum!@TbBz_G%*?R;0wHU<_kFVibo2oSEh((A0acgQedslRaB^X4 z`nzsoD-ty1*qe6#QXc_CJaQp3yq*2@?8yr$W(3!#6^+g3Jj5%n%0feo4dfLhs0sIY zfaGN;!Ky?&e7eK#vwHiOkP@W}fzlqI_}c**+V1^t?l;f3eV9Yq_w5y$egx5LTz)Q6 zl?xqTVb9=g(O%3 zMj4uDl1VI&hKG|`Ru>yqanT24glXcynqo;O?6eqx{zU5^t zQtjO;tqPj z1)QpNZFO4O5^p(-yHj5`(Hpq&g*hRa!zZ)u%a!QXR2Q=Bc+x=#Fey&mc;70R{DrEF zf7^2%JEs7%Qk@jdPiOiiu<%}1JH%50{I7k+RU*iON7mtPJ~D{jml?u(^MhN~wZZ^+ z!MhYQ@nCpkV{;KE;uBMOq7<=NPCh@5DsxjceBX~N0u*AC8?4x5>NVp<| zKp`rDrCeq)DGyxx1#2g6k7T;8q#+z}-bg?zrlN!n3b)Tn)2szZt0G>24GoEN?0r z1>0G@1u_y^rQgd3($!UcVFtENK9OLMK*r?%LtE4MiB5!_2ACi zTOEng`kU+kyfLRR&%dO^0yOq9m{_QYzQPEk*e+loXx-0+cvZTqvxYcnjak!QmcqvX zSb|lJFV1rn_wCy^s5bt9@2@sCF~+T0o|;O!2$Qxy@m0^?g_r6o-iwqEw zP@@;f7@;UE#eh@zyez!@@pY*Y&emQ?!(djF$A9hcxJ1MfV1YOkr$1U+5_)@kQ*?+5 z4k{h9Gmj(VLhe)LUtsP4DyXXOIMopCI15?On1}9!8Z9d6Jl(DkhJc05h|F6k1QK z4$gRAW>NQ*>VH_G{t)*fe5LvA%gX9%Ms{{=1Yv!hdHVr)tg7a&L8cDnIt7;kJgj+Z zMt^y^e9plgER@#<*g=Tt@nFmCDyk>x!=7)LUz+WD=wL~gXT({A*=LXv4=(Q=u!3AL z7ox9}pi^}Gw$h+p`9*5^{%^zde4AXXvs_oXO~(xrLtuwFA`MN^&G`AQEpa`?6A8?L zjtzz^I!JHV)DLqhH5c+*WP*3>%xC#-tu$&1irB5YAM_BYvu@|gX-vYZKVT#F;)?zK zHvBhYnOQ3${)?aU@+r9TlWgm;M#AdfU}3E*a8#goFpJqt(_e7;)0=K{7uD$-Chd_eeov!R@UwHe*E3Am1gV&%x>~_Uys%iwJCoF@OxskBPFNxf>hn=%tq z{KZ|aDJwgSO ze2RRLdi3$FAHSvrvIORkH)B@{6s7|X2;`&$EI$x^J9IKbR0zXI1Icyam?w@{)^5Se zM-XPkZNj6Y|11WM&Z<+|rXdAvkfcl<{_?_eYn94)`KDdvx^3Z#I4^iiJpBZDY@=SW zAjP^b>_(DE*qD$>{k7$meu+0;COgVZv3)VePl1;KJ~)vnh!JscWaKsNKK^LnRgaj9 zq`C>&fp1}z6zDogJlwg|ks29XsgyZB9ky`iq0}l8Hy#G?PNwL=T|iyx(1Ax)1DcRvrQ`cAIr;)m8AmYWA6 z>!;+lXbY(DD` zaf6xJ47lSuBa2L}2lo(1yVaD$!=eikECnlyU%yckjJ!zhN_@K*gs^}cK2-L3hgf}FM zJd2>%IbC|$;AGcdEy#gZDuq!TWbWOu-MSwZx42;&rV#$~r<={Z3p+mYRFTRj87)4U zrXzTy&_T+4+kil~d00e%{W2ixy_xFQxl}5JNS%8*0qn-s)(%3`%6a^Y`bDb7;vR>U zPh2%JKyJw%AOfaKx7sM6oo&S?!4H!soApGTD*2h4S!5eSL}1#Ml~)>0t~C<|S!)kc zIlFkdO^ApZ7_!ju)+Vc(MS8q-*SgDZR**KkW15N%@%OOp=$PT_z-;(WF9h4);UsYa zs$5Ulnzg!^QSZ{{tCmi0HfoD$`hg^H-L_0UfaAt3Wf1J7(_5(Sh2d@HxW1QjQao^C4@U&L{v zxXGsjH3;EZN?mTyh6GjZV+}nhm(Kls4G{Ja`&10zSq^kIS zhEoSjJvYGa;NUp@ZW96fa7M;EKjDo(cuR-*RYJML5;~fSof`n0+u9WD$|2hzu#TKy zW9X5vY#dZOJb16GhKP))tvV$tgh^YGF%l=VF);SibPo=;jgqD(%fy~k&0+784*497 zGY1kjb9Lpn?2uXLIZr~h`K+S5;~Qa`;EN$% zO_wbOKY5=|I-fGE=Jc}6O;+r;BJZF!JW z-E2N_taUr)BuLEq`0$%LtC_l|fAz4%o)YC@o7R56nDG3*N6DeTe0v||+aFN``sRyw z8pdP_$2JcqtGA687Y}mFw~cfMR}IvRh+PhkTZHl#URt(8Z&*u`hab?Y=+cZNw<{A9|*!i%6?mOsRB}EK~?B(=du*=%^1l~B^SQb zo2Zgf$0;89lh+(C4JCDM0lv`5!3e2l$&nzqKs--9!mk50j9@q6=vYB@$g7dYqTT|A zi?3*HHlB}tdqbuzum&c2Ex^Xl4;$g=a$I1HTxz~yrj7smv*9u8rsZ?cDdPw|CRY^zYfonTnM@vv)n;zQ&z8`lF>ONzbcG|E9nE z&;D+x^a=#^ojB#Uav0FkL(*eG=3ZoX@i!IG+4q(kA+Y(Lll@q0r_R_o@c*y4w~UHw z+qy-GL4?4LK!QdfNFYFPCx!-hhu{tY3YRD(5G1&}YjCHM5L^l;xI=K)Lf%;W>~rru zU%T&X-=EhWZMU|QN>R1eoMVpBd!KWSPV>1y@!mz)+BjL%7>Vs)+F`A7!)1HvoAeX# zJP(m!d5rY4#KdB(o|2@bxBh+i9G4g8{vw&dJ%Y3H?^_pQ>}?XtFSczTsPcOMd#Jx@Row1Q@bVKHwwGJ$E?VM`1R@)J zc9&pBN^oRc@(xu_*y}U-?C>Cp8rqggI-RPtQ|?n;ud3H)OVRGIo>EKPL#)VWOxLu; zq%Ch#>uykR?A!BGL}^#<^hpuuo{U_twLey?MrZqbQ;t46ee#!QSb(2-cKNLD{CbfN z`d7iV8$kgQn^{$+q&H`bVYBrm9dqlnH`tKV~by*h)`Eo=;R=saiu1F9FTTBR#$BHos#g>T#kwwVNcb^W ziDU*{DtAxwQ3Tas7IxO0wjC9Ah{rhQ0L@gKGreRG(VAF;ZnZq8aw8TKd& z0|z93m+axBh?iWyMVlGcQ}ChW$4BG*bn4P^`$7;3Y}^D1U(R9br|qwklaity4R^!o ztb(*rRHW#-IcqEj4p!i(J!@U@eB#Thz# zpOF(kjZ2qKSN?5^lVu4(4j7OVap>uK)^o(mR|7 z!h`3J1aSm^+ijQcf#`CR2-j)#d@dYF34gCPdm&j+W>?B@UGLv#0V1N>oL?6ZT^3F& zj=_N)$$Ym}Mi=aR{{3{WM*l^jj|PS=(9(ZqCl{}Q-{^Fb=6+Z^q^29hDF+pD@0BVY zcQ)vnTJ?-fnPm94C~^24`fM8t)$WVQ;607{IysH@TzNUN>Bm=4!r>)Ls&g|#^?YB_ zyR%IE=8vw-clby(_*vPH=jB%o|c_XSjW=sGcmcC!hn88 zaycK<3VU-rb~~FNbY&$9+?vla@w!sr1@u0?ji2^8insPJzq0qai76}r%$n{zCv9I| zL_dhqeYX~tQQzL2vq{nxtMy~`*jo?ltPtH>%29IFk33HRo<|nGQL&lwC9uKZEUVvd z6&?pZdi=VSoZ>fqtqvNj2_oYJ!(m#)<()6n^(b_RwfkVFB*G5d+p0ORcUi|6gB*2tc zWqb9?Tv&>m$413VCxf^D*fRHQd=Iy#HAx1w$wyK0`4+{EvR&4bKIe+LL-X%GH ze{V4W_09e@4|5HtMSWY_x~!V^cQ)pgm=HLW|H|ShGS0-TO!W;xZqRdTf>YsuQ-R`= zhI!PPC}z!?xc=R^V%O`UJ`Ygul4zu@q-mgNtfpXEn>!|2uXJ2df!J&%vgg4<4fzjiBV z3XGgNxHM}n#dGZ>wyZl>%#0LqtM+_Xz@Wc;BpQ~<>KWJnHPgY8^o*H}DmZ`Kma538 zL+oPLhZ4pO2cu^zM#G$EJc(as%@w+yzDnX07Lb@9;NrB)D2-Ekc}phqdt?sEu^Ri( zD|bnPrwP+;bljrG7^4!^8TT3McdJ&-PdTHMLM!&sqsunmN*`4w=+bhbwq2i-kms0A zelZN?j_E2OySQII_0#ZZV_^mVBYPjx>n?G#nnWNpS(J{kZVHv zGhlbGprFEhgsw^-JXKae6&t$^>1G7gh)NbD{7B`t zwkqn~DtL{#@%7w?g;jm?_LJvQ{D<3o!7^_%ZnkE(4sLeX+)dA0J!2M7T2NRie|{m8 zNi6y8r<+`!CuZ*^SqP7I13u`#V^ZUOfGM3;PBEbrKL<}c^@Yb_R0Q`TUz{JA5l8(h z{FbY#ICjH{Zu+alqgDyNKg_)Il8nQ1d8a!#S^@(4VFC|teo4VQ=SF$QIA5dQv*zFm z2)JKtGZiJ|l;wXt;?jKI^J=|qjtjEsZDM()eWQlatby-HV?OZ!FNEcq7A zd<5_9RXYvd7sv8X8J6f-bp;b;NsvUOo%8N_YMKaOzYV%UU6<^+eXmW?C;MB!Lso)s z1sNfp2I)y&4)v|@X%^*Q(l?G;Xvj&XY%H&g3cSBLb2VTbjy)Z;rA8TZt|fW0w8`4A z9N!@lzOVGPpR~??YRe^3s4CE|U+HUfFprt$;I2)e_YCJt?aoi0{Dp1rSiTxowQRoo zaQlKy1n%*<=dh)BrbAr|8vajJqSb?)`kDR^Zmtp5KC?5&P@gvypxon&LBD=%9QQc9 z)L)xmptNxB`(vQW{Pdsw3yawHr%H@z#ul^#e9w7DbK8(R7VJ6RneDz3CMO>f`%RY- z>Q?NX{^o>hALtEQtGrcf^f;xxNsgn*;~5?t$NH|_Lq*_X2{>T;vTi<4-4|EF*UpBw z{q>`_@OWl%|IECB)KY1LkFA5l-j?s_?=OafAS+i)4zV3HqlIKnzjt2J%C9L35ISNJz?#!d#_~G%@_c{17L&Y4H6gB+Yf5LvPEny;Bfi3ZG{^~D|<7m_$TfTo3 zsm&x<7Uipdrs(=q8O!$@7)#pg1v6*(l`fbj=@Q_TjoCbEC05?ZK6Q)99TxgzDJC-= zM;cA-%1;@_7}2`piK4$1Q$n0Sz}7+viZn2juc4t&t;e6p+h$$LzAM@DL_aV-I`*$9 z`gcPt<=fS;d8FNdIi0?y?QTx?LzdftA=W4>&4ydjsGV-oPDQI>cHWwrYdHRQGSBro zmIy7u_h{^*pCWU{RAS@l&qONJ3&txVANNU0-3*P4zIpW7)*gN|S7mV|W(sFZJ=$<3 zBAOA&Z7FS-WDiml+kWL(5o3TYlJD4X7GTs;tS4y=|8`tglkovZnf@J|lJxe^vpRdi z$Zy3(BB-;io%Xquw%|!Za=*dVnOUQ0hsx{OdJ^=kY}MT41QxB2@2#QtodGm-Pibb| z3MtUFdi<7Ar#CCcXs3O}Vd^#C>j)Z?`9B`4S4XUj8Q*Q#Xb{a9%BjVP8e{JM(50g> zQfRcJ)9V>z3;Zjk>m%v=#S4Zv=L|PCqp@(d^%_H%Cl}N5=fU()IGFM|k==QaBuDMB z_u@ykrndDIM(tm(E6ANjx;7?kxaCCxXcqnBzD_nwvb^|mIau4ExFqc^Gebe$clN85 zu6PFlqGJ=P3bfwl>JXY_O>H)!w?r+X+wcj2FKsT*#Rd;4R9ZG(8ykH6p?iwlNQIcy zTKO86cG=thQc92G_ zVd0x3&iqGzh>bd$g5OeIRCvL@{+n3PZt$U-wj(=Ahf&o1h{EvKZeTx0@mBOWy1}b& zi;lj<|FWtE?b-W&!rXdt1DzdH7Yut`PA3#YfOyh==&uW~oJ70t=n0-iqK-BbRb-mV z|GF$pb92-IQop|4E#EoJ#7-`@@#g0=Q=18!o?XZ~(}5u+`7-OfL!c(b9Qc|(~zX`IaKXZ-8~zE)pQ zzu55`hSN18=I4X#h>MJz9}M+VjTCTr$%^p@ zS^RGNWYVv9bI_$Xsb~Gy{mQ%H%hzm2nw7YJUdeZFn!3RDyWHv|LVV%O*y%U_El$Rn z$Z&^3`$@?~(xHV_3WGF!vZoQ<2Q#2xHtk}|0d#yumo>|{+nEzuqa6buL355Tvqit{ zyKL`YyW(AEfcYW9*eYm6z0OriIpJmAZ`W~np?b4_?3x{C{k%|-|LWM&I2Vsb+9661 zDaLB=qCMTNoX%b`wrh6o>HzCHxkj)?*7)S7q{ob;qu#s257Dm1G zz&JNHXo+}c7RtM8cWYkA{kr+tFNVH6&=s5>E%>HqGQmyc(kz?Aep~7-$>x$8D=xBu zoTwvR+lV$gCS8%&KR)>H85?e%mO0LM$&KzEpX#tt`R#taZE2$4^^@lOCwI06PF!-9 z4d^#ETt4m=-8*i5Bc5Hr)I9xQu2{_@{oq6%kG9}OnK%Vs#4md38`Bra&WhbFxRQL~ z(Zvr>_|BSA`;~UNody~weKkrUdBnK8^_svt*>%3-*urtueH=6Iu{yQvtRR0P_w`j2 z83`xJgB3f!W&=gN7~#*a!``4d*r`>Edh{9x@-&ArpZ0i)w7;W_Ss&ixl({R!h}@4&z@h&}ku!M@zU9VcvQUS_T?`70xy zUeHsR(5kubONi<$qZrxiw-@}dSc>k>H}Io5Kd)mh#MY+_U*VOG-$`tTQ`($h)GVXS6 ztBOc`NkQvacFUs3>|C27j8Dy`i{Mq*cd9wd;FpadIfBB4y^*&boM2CcAIqTth1l(X#o~KW+Ey z0)y#0NHf#pw#V*0p0Hme8^^AMq;CZ{r$&X6rZ-Y*W~PPh^|`fk8lo!ZbAz)gdow~S zNL(zimm}MsR(AEL+8L^Zcvjy}Fjk8V@;L1v5!eaeTUbSH@zX?-wRZ~_*)P}@VcbKN zdlz1%E4*~8wkAEFg7YT2iS)+f{V$~(G8iYk3(kVBYl~g@1guvDnIDRK{ct?n!s4_k zWSeB$J73OQ<+A``2%GW$5{5w-t|F0g=>^aZbD2iI>I#j zlZRFQbk7o_>~}kL-_Xmxo|M7dth90(&pH0!35l)vx~AtO9`s3PcceJe34T$ z_)|WXujY2*#%gwzu=9tSWNBUgGe;-20q#om0>0Q&Y<)b+1H+ zF`qAjC(638z|mN+}@p)N>b@~e72_Ml<_0p zUx8BbP%=2)U$&3xll@#)^j zGE=ATEMrD*C}I>kCpe`;y`|-iI#?|E5&2Lk zW*tFpnve)o)|N8sVB1m5k~l=qJpC)&Tk^Qf0E zm0v2~IfoM=&!M8eJ=Kagf-$`6-;QecG7nr@kze(FD(-(KJt}{&w|`9d%-Qmaw~O3y z6c?U6xr|fZ-p4g2>rOR`gM)MO;a(N|59f`>J4$)@zwWy@CyQ9(Ht}6mPL_$@ol@yg zrG8US?MxRJFzK?&fE-wCF7xBl>;l^j`++PTB*0!ceS)#Cl=swvt5s65I$ z*7kdsg}(QdP8H5S56G-}-o3dASG6x@Vp_5=facpxzp`>SSw2msr^eCH+{i3O`v`Mv z>oS`6Jpc40Vqk5#aL-?rlZ#EaBW0%$(|GdQ#XXX@26EwcjndOFOK-K;4-o1b`^2%%c?dp=<9~X^uXm%Fr zn4`JEiOm=em?yw?T82X&kbhSEg(i8((gD%~L;g2SOYL23D!N?s`1ssmfR?vNj&Fcp zw+gzrZ%GTAc;M!Gsy0iJeY-%Azb(f&ZtPxiSAwuZ;<&P8(+lg!!c#U-|OkHChPIpU0AKa(v}m4p>vod@#snU-&19fG9>qM+cqOC~Cga!lPbj zlcw#mlK_vl({RKK2)L`q2-KNBskG6~Iy|Hh99Q6utJGT|L^W|u(y0yKF1>4s+BAn^z%Q(r8UIlNuOQ$RBu6{*7ICoC^coFT7d*tr__6!Gm z8AHQ$LA}w#P_?Wat8JI9ys9c0>ouWl^nR~PDn>%Kul_6Bzz!d7@meR3C0a-&y+d1G z)Ob${bLXPi8Js)!>eljfsz-7lQ|!#dkEUV-3zbh#uUPvzd5*tW{l=`p|FYtW@nV^E zT;~EIQ$@JS0Q*ueUih|(%t-PDyC7PDyETf#Nj#C_K1Cw%*kPUiXwn7KO1D&DwS^w{ z5V;A*g~lG=PM72!stNmTzTUw;w#8c7?xM50Zc{m5gHp&W$8-#d^a#3_Nj3!E501S; zXU?~nA@gX0og4WfcRzUDC&#pFvQlsvS6R^@Bd6znsAqNeyaQ3+)kQ~qIy;A?fj7M- zEPu8KU#b@|DnxTJ^~TlEHcGZSZQU~Ydj+n`U6RLAxJ>6N94_iuD_M0g62)b0stUpE zEh)Ek&1Mhqzmp4xtaSWmeoaa|j&}vp!9bQU%XYr@oF8NCyhpj?cwcuU#X2s{(bLqvg zs=^Wn=QMS7%d9-p{(}}?WcdVgWr~P=FdJ=QeDF(c8?tZ!Dy-=TbyZgWbxDF5y_l%8Z!>z)%cN)rxNH{F+|s9qG;s z_Y7X!;%d<#CQ-_m6Nh4Mlaibj#?lKdCB&(&8r# z3V$aWw-3+Y1+=mwBMp>~g%h(RrBVtjmVLw1({11Xwh(eHdwMGwMD zoSsHen|2+sYt_26=f}PI>|}nbmYVv@Y_htSe%L#E{vPCUAao7buKoaKI;|g{I z-5}@^U z8f#i93_H1%_7#KqYgm1c%y;kK7rU4?Sbh~6aoGkKLsJiL7ZwH|g{(3C1GxIV9X|Vm zMGiyE%Ra30gEOh=$weBO&C2m_i&C!rDB`N0&;Rq|QAO0(>)A0EOnL3{j9OY*1GPVF zB+Q>Fca|pB>h&417uf#Jy5eRUKOjf-Pcn^VXP zHJ;_F@xP0IFCBiKVGjIPS)if@nn-BXq4Y9a$}ki~)qjUaI}t(gBQcRwXDbU?p{+RUYVUf3TcDvEQ*q#r6zmlejY{wCMDn?QkB^BIQS;A0gpPbv8 z|H@ozS6fM$>miqMT2Ol9pU{CVYl+B{$7scuc18!w!nXtdE7^&Q!_(d5d2oCZ%jUAk zyw)?iH0LZCGjv`jdd2~qOa`Y054Rfo7Xw6F?MqH7@Be&W%*v(3rZBy|X}x*Wu{9Xf zicFhU{U2S*9f@Z3jMy5ujlaOZag-R@K*zvleNl;N-LswT?S;)g zbC-?TbCvRIr=7X~3-oL67JZ?aXF67`xd{FFAWPsNxkl3G^VnNT4245DLe$+(B%Ta! z^WkoLXp4Wx#1mkQb>g3&&SPCgQszmR1t_QKlRt0Y$KUbPaT;EG!qo{l0VnNj(ehaY z4I^b8exN!aKL~MvpMPFNzUqI!h~R1X`RBzqf1_2L|LcqEkFUMB25;5PSQFgh{)mIT zx18?W-@p4NAlA4R%li@jndPIC7Xo?z?;rBdC*uI9f}elB4(BX_+;RSS@!wbd-@W*s z_a~|O7i2@6^{&k}N1gP)a7M1-OQ-jUKmPketvJ2@zZ;YPyqyUunosv}a3sUXn!M8g zeHNg!l=JeW{#{<)sAvD0iHpiMcCUNR;IKsAF1&(V;{SX?{<~rOpN!@IF>I2Q={@w~ zS$TQ=TNt7IrGb3cBONWRl?|SMP2BgC^U3h|14ihyI*dsx3p%`KCL}yT`sgak$|gWV zRx@bWI#gkoj*t5uldzrWO&RnTDjmPfkv%*SPFFYQ;c5Ldn## zI1@|NG7#!kw4BjW%(eSTK|w(`@7&3^94^f)ER^5a*ob|&tt2OxxH4SEASkFU zE-vn}QGd&@Xpp9O9NajLXK01GkVc3mhuaHo%z= zDSyUKR>rrXF{*wqW#{B`hpo-c;#YOJ^}l|BeS!qEM(hF0UH;O?k&?-2b+gc_aW3O| z&{f>`h{rf75za)ZFd@*B(kXl19i(+AO|UqD_j7uBdT0#a4HkU{?4%qlEC~@2w?BG& zFTpI?dUg!hrBF~%@H(w044}X~QbAEMgqoh4TNSxc<0>8yZ?fd4g?eWYE09nZH+r z8@2n2xlYfWlXbic7cOMx=gUA#=q_-dPe9z}jf&K2YHENnVZka#X5p(SrJRk;w?izp zM8A>Xc-dHpY{UH)vvx1^p{-eEU}l!7sHj*)Q&CavjIMd81hGS3LjiC`;e9>zfqJ1O zlmQtIZI1)PT(u&Rplxto(PT4flhxBp(s8b`nS3`iJiG&40nHn}kOZZyL8s%xk$FK{ z-}|?XNvGMq+m`Eg29xsuOY=9WO&4Taw`8!c_geK0U!T)#%rH zFS4F8Gn)mHSHaAOT3kv>igMUFI5;>N99hu2HDIwCfX-FU&eK6Ni9cju2&N9e;bdf# zgr29e&dwD&<3i9CwLOweG#+jh830p=l$Q4PzMmhj2ncc=MXF@?Ef(F{hA!8I;N-)@ z!Orf)s8eL*R|+rk$%`B3C)s{|OLW5_|-pR|$ zhkzWN-jfOLSoHVqJ%u)!5@KSVU`sk<&npmib)_Qaa^Bs7?Ce(kgA((Bvxjl}`%doA zhjjp&FQQJ4oGr(y)sT3@P-=T3ZJ2wZee0;_IP}4+L^?)G;=CEAeC}`tr!4f&(FEQh z7Jcd(DM@n`AD@n%UL0DL$ADMJNHD3es3-$JzouvaWoVa4NZsT*mZxI_9K(XBiEiCu z;N#N>>Kz@;g^0wCzEoFHN#ESG9fe+zLAc)Q(3V`N4>~^PARRqNo|X(+^dnxK?vqz^ z0$;4r{XLm)Uc)J=LwI9uLxTtpIl=MD_(?9@{B}vcyVR>!uL_4(4x!m~0)tB4A3UM` zw~{o$*KgcF{pq}yKR(dcmkKUY@mSK6kql-M5)$=7gU?8dS9&%!g-e$%9X5I%iSD(P zpMb|^A9TY`fTp0*VA%-|Cia@=*U*UH@K9MqnvWhYp--}*fxg|#@hT|fh*sfGL_(6u z?6Ki{2>)g--VLoYGm$2(l)<|OMn;R!U)zQmo9=m-ehuSLsi>@6XSwhNFEi{u~1Z!($QBiMJ zHntrwb6vU-zkfay7w5ZE#{vEzU_D|lJ9*?T-u+9y{BI%9|53I9F8p_B?tc#PY`iZg zUBtl&27^#P046vdkD)CwZ9RfVaLNb&|3oHm0sq{hmEBV$F{MDy+`VT5tYJklvy8?( zt!f>%|NdjTS;db9d*08jf5TlaG9)X&&p){L9|ZY7AHM&@z5iUrf4=w+%=%B@_dmd1 z-y0(rG{z76%jj_3M!=g{=Z@R@Tj+B;zr|MNu+shg`x`J?TiscUo>hjfoka@ZYT|$S z$`wP-XreoJJVgf_-Q8>8??}y!ediI4ZQ z@msEEZ-BdQ(mT4d->Xnd{q(%Nhx(CwK0cSBl$&CASA4#FQB+flR99EG2Upn9*Uk_? zeck&T9(`a&WJFvM^Rd z6w%==EfN8DJBWH8(9kSGvuZPIYjpBi`QYZ1@^bFIaafZBP-u&-#|0_4ZJt28_XrRm zc;2M{{(t$BJgusb*w|bsKdxHiot+6#X;i>!yMLs@4m1@dMa2~O!od{>sFx-`-d#}t zru!D-4o;(s`y129G+0~b!!(rW{y5tnFXTD0U}a&^o2iiAJ2dnVPtJi% z9PBWIsH;ZvMynjnp%_;}MHpH5UE^9-SX2}m96YTe=n3v^^jusjC=@CyJG;kNaEk;o z?FG%Wu@4_Ud{H%GCq;ojn+xMsIsqOouKi*!y;ix+Q-D!EK0e*x4#f_jLcAM6-XkNL zk2K3WYot6pYGJYfQ~A?3o6E`uLcj8K0oUD(tgIHTys=$<=mnX3n&|xJ&!0{RIk>x! zprE9kr2*GRFU4I}N(PDzny(L9aKZ>S>9Wv4$%RJPytXr+%*@RpvP^JbV~4pxVCUR+oQqkG_M-kbZ1pnX~5eT*VYEM7kWxOj$J-} z{I~!nA=%W73_ zDyXXdDWW(G?$66(qTsQ80lNvT(d{kG&2lm_0ZiJ}8Q_!Ln{OLy5iA$*HcqCxL<8W| z*jW5@d;GL<^@{PnUva^1iR+$Kdo&kwf?byrG$k53bQ;2}FX2Hdc=8?KVu|Oe$L!2Z zxeSeQM~s}f_~-t7oqTZC%FfG!eIxR(T_)QHIc86vz6HOmV$_myWV?}8wUZp&5wgNy zd3|3%ZWKCBr?<69ItJ*%q63Q@0ry3PczF|(jLVlVD=H`?UnS#&9`4crAc58d*G+b2 zDP?beKS!AH?VGHhpWmvlciEWB%dW02^)jniXtA9HSS8?wIbi`^~ zT^SJKU}?Dk-P*&N4M|!^MN=ZKQl8kdB~QSE1$rF!uhDiX7X8R zSlA+PlIhE0mYmVhrJo%p!f~R+VvyC)z@W*3GaD9yl9G~osYN6f3*iORK@%(Fsm-9A z69`Bbnw3-UeI9@fS@_R@m7a%34W`hRHx{1MMzWQQOC>m@08<^gbv`jM5hna(rpJUG zV3FBqCF;gQ1?w}WkkKG306L`ctp^tmYA|}C=iumzRq@;%7#_}sdH|?xDAvli{`$Ib zz2YnfE2}&h00{2g5Igqv@~Rwmgb;(wgyc@ZbQdl-3!y%I{8-^CY-?+)sHvF){9*3} z^Oajny-2NsI<&vP|9Ds!t_?hU(x5;&VmkY>Rc0Zjz>}JKr}}*X=!0-v*I2Dvlf=Hl zU>jp*YWg~SsZ(F?e&ePI_R=;ov%iNA6Af>gXjMYSGXamkpcJ6K=%Gp3*w|RO^-ic* zsUJR^7w<;?fN{ui0)T(2==L<=d7ayFbGa@{ZGdd_^PS#$Pzc!ihR?(Xhk z9}^Tw4!b!?s7_S_1HHX;4<6K;=l7}Z+z>nQ_N1YvrkkkZac%!~-d81bvt=NfTI}c`Eng$ zJ=REQ3&IKNjx>NBUiZV|`}gk`yB*l3rl(h(dpn6aQ@J{|yR+k05%B5LMWEswoSYBu z-+uQTH8nML^VY5Om>BYsva%(pD*a&D zY!5CR2PHx(2m3v2Y+;#A=B}<)t|n1s$LHlw>(-X5;?^KZ@3}wQkY`E`4Ha6s5A+Q{ zQZR%9z!ij60Ks)Rt}R%k4LlIbCFJ*|Z&n>^b;b@>e!ea*!NWb+c$!FXP^ z+#V_VQ_0T30fO4^wY@B$(AkL2^Fku%`t|DwBnQ(A&?TyvYa6058zBoeqoboPJAEoj znwrZfcUZQKo!tey#wF_TQT#OR>kjugw(mn`_CIv%Hkg6PQ~^Y{dUrS+8NsN0(1)OM z!;d&m*pcNeP;8;1WMyW`NlEz`Vd7SH4!Bf!{FQ}*`%bJI3i$s({vCrQKe`s1#;1*0hXT;p z%QKqnN=KGLwRv}NI-mOlJoc_joSU1w)(R3<134vB?aZMeb*StM2oV+&`vhDk9n>w* zAsIjua;VZumySh%%s_Zxm6sgk9CNTCDIB!mb=}Q@p&Z3<;4Xs8*HD>tJh-dO5=d%d z&ebHv4ws00hrb7W=qP%3+93k;$kyxJo(p?&Q4iKB})L_LA{ZXl2U>T z2Y{vsUjRxn@SCo+V?b(%4h=cj$KPLBQt}Hp+$n)5j<6*vs^_2%BdR*6U0{ej!*-ie zMq6v8AN6|Ph8y@m7C5fL4x^7+V z7&Q;A12RCsJtvL4G@3O$!On~Ue?yqx@#B7pSW0-B>22G(gQ~jvVi!T91cK{eeZu%q zLD`0ziRE|hp62q%u?2qLsSH8*keOLUUq2a4 zRZhfn8#gFr#ug2@bx<>FYmElQcRcrqnkr1P_Io@UDm`vzyPr9q@?BIBlHtIlBt07Y6*$5gjKwHTyLNZ%dq-C6+BmK~}H zD0ox2#+;rL3LV)zah8yl?uW7pbCd+v+X9?{hDIcs)6#ZaP8-%Kl6XLvTwS$7m>3w& zsu!Dl#jI%oA0xOUn1euFpl)R#!rdez%MJ@84rr!?bq6qJE{@19=>Wf2(!Easf(Cfi z$eI@Zl`9IGnlS(#=i;1u#*Zsn@)HuiALpSFx&~7jRIFEjd3Ju@9GrI$g3!^Stg0H} zYVwWwWUi#9Mhh_yq`taq^y0+}I?%*-y&&CACpD!Dzy;90w9%)c@oudi1aFuOrHURHP&yH#~fOp5>?AGyE9KY!K- z368~=U?m`T&Nc3)fb3SlZ9}MIy;1;<62JeE0Pfa{?+FEEVOjwIjMRyi!987zkW>a( zn3hnJ2J&K*ZwS{dbY<#j8AMWP`3U%c>G97y); zM)#hErLOK1P~D-$N55q-%?J-_u)m*EulxY47a58M$vd%OYAL^||uKjI!kSpN6&l+;u| z-miqKnqXvvXz~!mU`@nt%62q0trQNjcPA9%VxUw&)tdDROzOO@!s<-bgWn&){YR`S zf8ez8_kP-cN;Ka?^yH~<%IhKAg{COn@7=oxNguTG|D(Xc_6%Ja^rLC|CY!n^x@+FKn->{wJaM(G!P_YHOj0Y z;IDsVKLZ*IB0+}6#pU^taXkdZAHoPy9kj!*PDVDGI5~IyEtrpwkIgJCl^{7ITVo*d zXb|gy?x0O89n%Rm&PZ*ptmK8<3*rwp=4w?%g&M-CA?~3i_4g%O1`0SX`5uHv8#0zi zN!XyVJAL``C5S-LH?Lhw?CzGoZ1N6v9Y&vO0%8K;2DZNtAVmM@krcpGM+?_TLH9~x zM%4rvkImpHPRl5;(@LnVtr zN&jpo!m@OnP*zjR1gUM*eQ%UCQqsfHaew_406~HE@8^ISsQ|J^_6j>YJLR^tw6&2L zM0NwA)_D`&=?BwR6igW%U}d;ESZfZR0iaw!jzpkV{`i0D4kSA~FFiMrTGH3sYXSrn zsk;9XLm@a;_X0aN!WK*bsTvlj_I7qo5Qx>R%>U_1PA;VyaDWxs($>}sl+qqB!Qb@W zpPb~{ud1O?>VRF|?KL1i(X5Pz4&r!!@9C_n0x$uB4*HZGo*I-zWFkOq7{uy z1&r0rfmkAA2hjnM2Gjv;#ek&d!NP$taI}HHJ_OAVXm4mp2wgv4=pYUb9*+2nr;4<+ zqOd^1sDZ|3WM+y3%BDO6ewV$Ks3q#={1pUg=;-7lKmvA@|E@mpm0u!H0|WocRV{cH z1Y9W@mJ}lN0%Zj4kk?^30_J8^z#C+d(7H*4+hg7o1589@6b1%6!a=E*FBQzpvRvsh zgbsjADM5))&evYa!voakxVF~$hP{(@M-V#=an3*vE_)UhzVmaIo?E}_;;`D;- zDd2L?TRLPK#W!0IMXncauTt3ZAs1)2g6raWT`xEHFw$ci(7 zj68TL8Bj?kY&gRLA3}SgAxuz^U>R6hyVu-c!%$L!StG%aR~b{t{#(O>HS+HPfKi@S z5%||Rh&yM9ee0)5FrX`5tCP?Y;H!%tXNztR!qxG+2E-Lm7Enn5BM51NeLIi=6ycs= z)2HwE?>`=?KBHFQ)HPuFrrpEAe$jTNaePJd#uEOTIN6~^y z#p>$n;A|)nIe8AqBA}19Se3OJ6;-&3X$@Np7S=DFcxzV^#!mLeuK;AJ!DX)NS!-W^ z6`HqpJE{>R97v?d;Ro1ggA)-A8RHA24g5zUPe75w*2JC6fKW9|aToWe#$UHgBK=bf z3gjHB+<)2SJl~tP=G#;z%uDDPPI&_A?rE#oND0vwz79;n6n zPVsYxvH>zzz%0m|ke?lNKGFWotHdF3t=A`E{&*O-B<$7YFJIqC1+KE0~%td`e(rV0Z}>1T>2+-lgo9K*>N5 zMZxX>A`YjeJp}lUu&9g-Sv$KTPOFhWjgxOH#CGJWeNZSZ{ISPB3u*aVRSX%WQPDK>7x6bf-tIYLOc$+)L*J_Av( zK|==2fe0tCZH|bqs~9*}ArJH5ve``g;Oed>0R_#-;NU_>G|Wc35gDqc%Y=L*cKV+L z&f*1SgaJnA;NSo%i!zAT#LU_`!oI}L=gDCw3Pi(=h!7fJpupi)2hFvV^EBy;26GTm zJ3IR&)OQJS@r{Gap-)PO%U>shVPgsGA_3)tV@4`!YHEO6cMobH-qov}3IJ+vH^BMd zNgLRvmx2wW-F;1a`(haQzQI8rz55B1$PuL9zg0o3tr({uB_>XTqKQ;O2-!2UtxAMQ z{ezqgvxS_p`tk)|{C&}-`TxQ=et*)g+6c*H=O*8QUGDcOKgOm2)F4v>^#t-oaJPTT zkIxARr^xkAWMyRqAe%llrAHy;F>-9NZL$NdxamM&_r_tUVFtcZ3!Lmv>*wu-jc=r! z!?7{H4P`7?4+m$&6fjG%F$OV-t)MmiIWq_+K0w5!*TDH6k_0%-MikJk0>~fI@q&-M z>n1&R0B|G6*K{QS%r5@=d;_rc5bV` to the servers, you can also check the application version from the command line on the *Application Server* by running the command: .. code:: sh @@ -102,7 +106,8 @@ Please verify that each character of the fingerprint above matches what is on th git checkout 0.11.0 -Important: If you see the warning ``refname ‘0.11.0’ is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted). +.. important:: + If you see the warning ``refname ‘0.11.0’ is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted). Finally, run the following commands: @@ -134,6 +139,8 @@ Open a terminal and run the following commands to install the SecureDrop app cod cd ~Persistent/securedrop git tag -v 0.11.0 +.. note:: + The SecureDrop application code must be installed in the `~/Persistent/securedrop` directory in order to complete the reprovisioning process successfully. Do not install it in a different location. The output should include the following two lines: @@ -169,13 +176,13 @@ Next, copy the files that you’ll need for the new *Admin Workstation*. Open a cp /media/amnesia/TailsData/openssh-client/* ~/.ssh/ - export SRC="/media/amnesia/TailsData/install_files/ansible_base" + export SRC="/media/amnesia/TailsData/Persistent/securedrop/install_files/ansible_base" export DST="~/Persistent/securedrop/install_files/ansible-base" cp $SRC/{app,mon}* $DST/ cp $SRC/prod-specific.yml $DST/ - # Next, you’ll need to copy over the instance’s submission key and OSSEC + # Next, you’ll need to copy over the instance’s submission public key and OSSEC # public key. Their filenames may vary, but you can check them in the # instance configuration file using the following command: