From 23b980309a55ac06c62f1dbc0ebf39c6064bf200 Mon Sep 17 00:00:00 2001 From: mhoellein Date: Mon, 14 Mar 2022 12:16:57 +0100 Subject: [PATCH] committing changes in /etc after apt run Package changes: +openjdk-17-jre 17.0.2+8-1~18.04 amd64 +openjdk-17-jre-headless 17.0.2+8-1~18.04 amd64 --- .etckeeper | 31 + alternatives/java | 2 +- alternatives/java.1.gz | 2 +- alternatives/jexec | 2 +- alternatives/jexec-binfmt | 2 +- alternatives/jpackage | 1 + alternatives/jpackage.1.gz | 1 + alternatives/keytool | 2 +- alternatives/keytool.1.gz | 2 +- alternatives/rmiregistry | 2 +- alternatives/rmiregistry.1.gz | 2 +- java-17-openjdk/accessibility.properties | 10 + java-17-openjdk/jfr/default.jfc | 1055 +++++++++++++ java-17-openjdk/jfr/profile.jfc | 1055 +++++++++++++ java-17-openjdk/jvm-amd64.cfg | 4 + java-17-openjdk/logging.properties | 63 + java-17-openjdk/management/jmxremote.access | 79 + .../management/management.properties | 304 ++++ java-17-openjdk/net.properties | 147 ++ java-17-openjdk/psfont.properties.ja | 119 ++ java-17-openjdk/psfontj2d.properties | 323 ++++ java-17-openjdk/security/blocked.certs | 39 + java-17-openjdk/security/default.policy | 225 +++ java-17-openjdk/security/java.policy | 44 + java-17-openjdk/security/java.security | 1356 +++++++++++++++++ java-17-openjdk/security/nss.cfg | 4 + java-17-openjdk/security/policy/README.txt | 54 + .../policy/limited/default_US_export.policy | 6 + .../policy/limited/default_local.policy | 14 + .../policy/limited/exempt_local.policy | 13 + .../policy/unlimited/default_US_export.policy | 6 + .../policy/unlimited/default_local.policy | 6 + .../security/public_suffix_list.dat | Bin 0 -> 232578 bytes java-17-openjdk/sound.properties | 39 + java-17-openjdk/swing.properties | 2 + mailcap | 3 + 36 files changed, 5011 insertions(+), 8 deletions(-) create mode 120000 alternatives/jpackage create mode 120000 alternatives/jpackage.1.gz create mode 100644 java-17-openjdk/accessibility.properties create mode 100644 java-17-openjdk/jfr/default.jfc create mode 100644 java-17-openjdk/jfr/profile.jfc create mode 100644 java-17-openjdk/jvm-amd64.cfg create mode 100644 java-17-openjdk/logging.properties create mode 100644 java-17-openjdk/management/jmxremote.access create mode 100644 java-17-openjdk/management/management.properties create mode 100644 java-17-openjdk/net.properties create mode 100644 java-17-openjdk/psfont.properties.ja create mode 100644 java-17-openjdk/psfontj2d.properties create mode 100644 java-17-openjdk/security/blocked.certs create mode 100644 java-17-openjdk/security/default.policy create mode 100644 java-17-openjdk/security/java.policy create mode 100644 java-17-openjdk/security/java.security create mode 100644 java-17-openjdk/security/nss.cfg create mode 100644 java-17-openjdk/security/policy/README.txt create mode 100644 java-17-openjdk/security/policy/limited/default_US_export.policy create mode 100644 java-17-openjdk/security/policy/limited/default_local.policy create mode 100644 java-17-openjdk/security/policy/limited/exempt_local.policy create mode 100644 java-17-openjdk/security/policy/unlimited/default_US_export.policy create mode 100644 java-17-openjdk/security/policy/unlimited/default_local.policy create mode 100644 java-17-openjdk/security/public_suffix_list.dat create mode 100644 java-17-openjdk/sound.properties create mode 100644 java-17-openjdk/swing.properties diff --git a/.etckeeper b/.etckeeper index f818a459..01d24abf 100755 --- a/.etckeeper +++ b/.etckeeper @@ -3553,6 +3553,37 @@ maybe chmod 0644 'java-11-openjdk/security/policy/unlimited/default_local.policy maybe chmod 0644 'java-11-openjdk/security/public_suffix_list.dat' maybe chmod 0644 'java-11-openjdk/sound.properties' maybe chmod 0644 'java-11-openjdk/swing.properties' +maybe chmod 0755 'java-17-openjdk' +maybe chmod 0644 'java-17-openjdk/accessibility.properties' +maybe chmod 0755 'java-17-openjdk/jfr' +maybe chmod 0644 'java-17-openjdk/jfr/default.jfc' +maybe chmod 0644 'java-17-openjdk/jfr/profile.jfc' +maybe chmod 0644 'java-17-openjdk/jvm-amd64.cfg' +maybe chmod 0644 'java-17-openjdk/logging.properties' +maybe chmod 0755 'java-17-openjdk/management' +maybe chmod 0644 'java-17-openjdk/management/jmxremote.access' +maybe chmod 0644 'java-17-openjdk/management/management.properties' +maybe chmod 0644 'java-17-openjdk/net.properties' +maybe chmod 0644 'java-17-openjdk/psfont.properties.ja' +maybe chmod 0644 'java-17-openjdk/psfontj2d.properties' +maybe chmod 0755 'java-17-openjdk/security' +maybe chmod 0644 'java-17-openjdk/security/blocked.certs' +maybe chmod 0644 'java-17-openjdk/security/default.policy' +maybe chmod 0644 'java-17-openjdk/security/java.policy' +maybe chmod 0644 'java-17-openjdk/security/java.security' +maybe chmod 0644 'java-17-openjdk/security/nss.cfg' +maybe chmod 0755 'java-17-openjdk/security/policy' +maybe chmod 0644 'java-17-openjdk/security/policy/README.txt' +maybe chmod 0755 'java-17-openjdk/security/policy/limited' +maybe chmod 0644 'java-17-openjdk/security/policy/limited/default_US_export.policy' +maybe chmod 0644 'java-17-openjdk/security/policy/limited/default_local.policy' +maybe chmod 0644 'java-17-openjdk/security/policy/limited/exempt_local.policy' +maybe chmod 0755 'java-17-openjdk/security/policy/unlimited' +maybe chmod 0644 'java-17-openjdk/security/policy/unlimited/default_US_export.policy' +maybe chmod 0644 'java-17-openjdk/security/policy/unlimited/default_local.policy' +maybe chmod 0644 'java-17-openjdk/security/public_suffix_list.dat' +maybe chmod 0644 'java-17-openjdk/sound.properties' +maybe chmod 0644 'java-17-openjdk/swing.properties' maybe chmod 0755 'java-7-openjdk' maybe chmod 0644 'java-7-openjdk/accessibility.properties' maybe chmod 0644 'java-7-openjdk/calendars.properties' diff --git a/alternatives/java b/alternatives/java index cd6559d4..6f28afb0 120000 --- a/alternatives/java +++ b/alternatives/java @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/bin/java \ No newline at end of file +/usr/lib/jvm/java-17-openjdk-amd64/bin/java \ No newline at end of file diff --git a/alternatives/java.1.gz b/alternatives/java.1.gz index e8791d87..b63a9c26 120000 --- a/alternatives/java.1.gz +++ b/alternatives/java.1.gz @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/man/man1/java.1.gz \ No newline at end of file +/usr/lib/jvm/java-17-openjdk-amd64/man/man1/java.1.gz \ No newline at end of file diff --git a/alternatives/jexec b/alternatives/jexec index eac05c33..82ba79d4 120000 --- a/alternatives/jexec +++ b/alternatives/jexec @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/lib/jexec \ No newline at end of file +/usr/lib/jvm/java-17-openjdk-amd64/lib/jexec \ No newline at end of file diff --git a/alternatives/jexec-binfmt b/alternatives/jexec-binfmt index a1525e50..6fc6f5f7 120000 --- a/alternatives/jexec-binfmt +++ b/alternatives/jexec-binfmt @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/lib/jar.binfmt \ No newline at end of file +/usr/lib/jvm/java-17-openjdk-amd64/lib/jar.binfmt \ No newline at end of file diff --git a/alternatives/jpackage b/alternatives/jpackage new file mode 120000 index 00000000..ba13644a --- /dev/null +++ b/alternatives/jpackage @@ -0,0 +1 @@ +/usr/lib/jvm/java-17-openjdk-amd64/bin/jpackage \ No newline at end of file diff --git a/alternatives/jpackage.1.gz b/alternatives/jpackage.1.gz new file mode 120000 index 00000000..c37ab1c2 --- /dev/null +++ b/alternatives/jpackage.1.gz @@ -0,0 +1 @@ +/usr/lib/jvm/java-17-openjdk-amd64/man/man1/jpackage.1.gz \ No newline at end of file diff --git a/alternatives/keytool b/alternatives/keytool index dcb93a7d..caed3413 120000 --- a/alternatives/keytool +++ b/alternatives/keytool @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/bin/keytool \ No newline at end of file +/usr/lib/jvm/java-17-openjdk-amd64/bin/keytool \ No newline at end of file diff --git a/alternatives/keytool.1.gz b/alternatives/keytool.1.gz index 17c81fb4..dd78eb94 120000 --- a/alternatives/keytool.1.gz +++ b/alternatives/keytool.1.gz @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/man/man1/keytool.1.gz \ No newline at end of file +/usr/lib/jvm/java-17-openjdk-amd64/man/man1/keytool.1.gz \ No newline at end of file diff --git a/alternatives/rmiregistry b/alternatives/rmiregistry index d522e149..fae8a05b 120000 --- a/alternatives/rmiregistry +++ b/alternatives/rmiregistry @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/bin/rmiregistry \ No newline at end of file +/usr/lib/jvm/java-17-openjdk-amd64/bin/rmiregistry \ No newline at end of file diff --git a/alternatives/rmiregistry.1.gz b/alternatives/rmiregistry.1.gz index 75f34b54..3bf43810 120000 --- a/alternatives/rmiregistry.1.gz +++ b/alternatives/rmiregistry.1.gz @@ -1 +1 @@ -/usr/lib/jvm/java-11-openjdk-amd64/man/man1/rmiregistry.1.gz \ No newline at end of file +/usr/lib/jvm/java-17-openjdk-amd64/man/man1/rmiregistry.1.gz \ No newline at end of file diff --git a/java-17-openjdk/accessibility.properties b/java-17-openjdk/accessibility.properties new file mode 100644 index 00000000..c1bdc487 --- /dev/null +++ b/java-17-openjdk/accessibility.properties @@ -0,0 +1,10 @@ +# +# The following line specifies the assistive technology classes +# that should be loaded into the Java VM when the AWT is initailized. +# Specify multiple classes by separating them with commas. +# Note: the line below cannot end the file (there must be at +# a minimum a blank line following it). +# +# Doesn't work, see LP: #935296 +#assistive_technologies=org.GNOME.Accessibility.AtkWrapper + diff --git a/java-17-openjdk/jfr/default.jfc b/java-17-openjdk/jfr/default.jfc new file mode 100644 index 00000000..653d4235 --- /dev/null +++ b/java-17-openjdk/jfr/default.jfc @@ -0,0 +1,1055 @@ + + + + + + + true + everyChunk + + + + true + 1000 ms + + + + true + everyChunk + + + + true + 1000 ms + + + + true + 10 s + + + + true + 10 s + + + + true + 10 s + + + + true + 10 s + + + + true + 10 s + + + + true + true + + + + true + + + + true + true + 20 ms + + + + true + true + 20 ms + + + + true + true + 20 ms + + + + true + true + 20 ms + + + + false + true + 20 ms + + + + true + true + + + + true + true + 0 ms + + + + true + true + 0 ms + + + + true + true + 0 ms + + + + true + true + + + + false + true + 0 ms + + + + false + true + + + + true + true + 0 ms + + + + true + true + 0 ms + + + + true + + + + false + + + + true + beginChunk + + + + true + beginChunk + + + + true + 20 ms + + + + true + 20 ms + + + + true + 10 ms + + + + false + 10 ms + + + + false + 10 ms + + + + false + 10 ms + + + + false + 10 ms + + + + true + 10 ms + + + + true + true + + + + true + everyChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + + + + false + everyChunk + + + + true + everyChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + false + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + true + + + + true + true + + + + true + + + + true + 0 ms + + + + true + 0 ms + true + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + 0 ms + + + + true + + + + true + + + + false + + + + false + + + + true + + + + false + true + + + + true + + + + false + everyChunk + + + + false + + + + false + everyChunk + + + + false + + + + true + false + 0 ns + + + + true + beginChunk + + + + true + 1000 ms + + + + true + 1000 ms + + + + true + 60 s + + + + false + + + + false + + + + true + beginChunk + + + + true + everyChunk + + + + true + 100 ms + + + + true + beginChunk + + + + true + everyChunk + + + + true + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + 30 s + + + + true + 30 s + + + + true + 30 s + + + + true + 30 s + + + + true + beginChunk + + + + true + 10 s + + + + true + 1000 ms + + + + true + 10 s + + + + true + beginChunk + + + + true + endChunk + + + + true + true + + + + true + 5 s + + + + true + beginChunk + + + + true + everyChunk + + + + false + true + + + + false + true + + + + true + 150/s + true + + + + true + everyChunk + + + + true + endChunk + + + + true + endChunk + + + + true + true + 20 ms + + + + true + true + 20 ms + + + + true + true + 20 ms + + + + true + true + 20 ms + + + + true + true + 20 ms + + + + false + true + + + + false + true + + + + false + true + + + + false + true + + + + false + true + + + + false + true + + + + true + true + + + + true + 1000 ms + + + + true + + + + true + + + + false + 0 ns + + + + true + + + + true + + + + true + 0 ms + + + + true + true + 1 ms + + + + true + 0 ms + + + + true + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + false + + + + true + 0 ns + true + + + + true + 5 s + + + + true + 1 s + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 20 ms + + 20 ms + + 20 ms + + false + + + + diff --git a/java-17-openjdk/jfr/profile.jfc b/java-17-openjdk/jfr/profile.jfc new file mode 100644 index 00000000..cb661197 --- /dev/null +++ b/java-17-openjdk/jfr/profile.jfc @@ -0,0 +1,1055 @@ + + + + + + + true + everyChunk + + + + true + 1000 ms + + + + true + everyChunk + + + + true + 1000 ms + + + + true + 10 s + + + + true + 10 s + + + + true + 10 s + + + + true + 10 s + + + + true + 10 s + + + + true + true + + + + true + + + + true + true + 10 ms + + + + true + true + 10 ms + + + + true + true + 10 ms + + + + true + true + 10 ms + + + + true + true + 10 ms + + + + true + true + + + + true + true + 0 ms + + + + true + true + 0 ms + + + + true + true + 0 ms + + + + true + true + + + + false + true + 0 ms + + + + false + true + + + + true + true + 0 ms + + + + true + true + 0 ms + + + + true + + + + false + + + + true + beginChunk + + + + true + beginChunk + + + + true + 10 ms + + + + true + 20 ms + + + + true + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + true + 0 ms + + + + true + true + + + + true + 60 s + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + + + + false + everyChunk + + + + true + everyChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + false + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + true + + + + true + true + + + + true + + + + true + 0 ms + + + + true + 0 ms + true + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + + + + true + 0 ms + + + + true + + + + true + + + + true + + + + true + + + + true + + + + false + true + + + + true + + + + false + everyChunk + + + + false + + + + false + everyChunk + + + + false + + + + true + true + 0 ns + + + + true + beginChunk + + + + true + 1000 ms + + + + true + 100 ms + + + + true + 10 s + + + + true + + + + false + + + + true + beginChunk + + + + true + everyChunk + + + + true + 100 ms + + + + true + beginChunk + + + + true + everyChunk + + + + true + + + + true + beginChunk + + + + true + beginChunk + + + + true + beginChunk + + + + true + 30 s + + + + true + 30 s + + + + true + 30 s + + + + true + 30 s + + + + true + beginChunk + + + + true + 10 s + + + + true + 1000 ms + + + + true + 10 s + + + + true + beginChunk + + + + true + endChunk + + + + true + true + + + + true + 5 s + + + + true + beginChunk + + + + true + everyChunk + + + + false + true + + + + false + true + + + + true + 300/s + true + + + + true + everyChunk + + + + true + endChunk + + + + true + endChunk + + + + true + true + 10 ms + + + + true + true + 10 ms + + + + true + true + 10 ms + + + + true + true + 10 ms + + + + true + true + 10 ms + + + + false + true + + + + false + true + + + + false + true + + + + false + true + + + + false + true + + + + false + true + + + + true + true + + + + true + 1000 ms + + + + true + + + + true + + + + false + 0 ns + + + + true + + + + true + + + + true + 0 ms + + + + true + true + 1 ms + + + + true + 0 ms + + + + true + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + false + 0 ms + + + + true + 0 ms + + + + true + 0 ms + + + + true + true + + + + true + 0 ns + true + + + + true + 5 s + + + + true + 100 ms + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 10 ms + + 10 ms + + 10 ms + + false + + + + diff --git a/java-17-openjdk/jvm-amd64.cfg b/java-17-openjdk/jvm-amd64.cfg new file mode 100644 index 00000000..cf721fd8 --- /dev/null +++ b/java-17-openjdk/jvm-amd64.cfg @@ -0,0 +1,4 @@ +-server KNOWN +-client IGNORE +-zero KNOWN +-dcevm KNOWN diff --git a/java-17-openjdk/logging.properties b/java-17-openjdk/logging.properties new file mode 100644 index 00000000..99a38507 --- /dev/null +++ b/java-17-openjdk/logging.properties @@ -0,0 +1,63 @@ +############################################################ +# Default Logging Configuration File +# +# You can use a different file by specifying a filename +# with the java.util.logging.config.file system property. +# For example, java -Djava.util.logging.config.file=myfile +############################################################ + +############################################################ +# Global properties +############################################################ + +# "handlers" specifies a comma-separated list of log Handler +# classes. These handlers will be installed during VM startup. +# Note that these classes must be on the system classpath. +# By default we only configure a ConsoleHandler, which will only +# show messages at the INFO and above levels. +handlers= java.util.logging.ConsoleHandler + +# To also add the FileHandler, use the following line instead. +#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler + +# Default global logging level. +# This specifies which kinds of events are logged across +# all loggers. For any given facility this global level +# can be overridden by a facility-specific level +# Note that the ConsoleHandler also has a separate level +# setting to limit messages printed to the console. +.level= INFO + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +# default file output is in user's home directory. +java.util.logging.FileHandler.pattern = %h/java%u.log +java.util.logging.FileHandler.limit = 50000 +java.util.logging.FileHandler.count = 1 +# Default number of locks FileHandler can obtain synchronously. +# This specifies maximum number of attempts to obtain lock file by FileHandler +# implemented by incrementing the unique field %u as per FileHandler API documentation. +java.util.logging.FileHandler.maxLocks = 100 +java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter + +# Limit the messages that are printed on the console to INFO and above. +java.util.logging.ConsoleHandler.level = INFO +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + +# Example to customize the SimpleFormatter output format +# to print one-line log message like this: +# : [] +# +# java.util.logging.SimpleFormatter.format=%4$s: %5$s [%1$tc]%n + +############################################################ +# Facility-specific properties. +# Provides extra control for each logger. +############################################################ + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +# com.xyz.foo.level = SEVERE diff --git a/java-17-openjdk/management/jmxremote.access b/java-17-openjdk/management/jmxremote.access new file mode 100644 index 00000000..a09e008f --- /dev/null +++ b/java-17-openjdk/management/jmxremote.access @@ -0,0 +1,79 @@ +###################################################################### +# Default Access Control File for Remote JMX(TM) Monitoring +###################################################################### +# +# Access control file for Remote JMX API access to monitoring. +# This file defines the allowed access for different roles. The +# password file (jmxremote.password by default) defines the roles and their +# passwords. To be functional, a role must have an entry in +# both the password and the access files. +# +# The default location of this file is $JRE/conf/management/jmxremote.access +# You can specify an alternate location by specifying a property in +# the management config file $JRE/conf/management/management.properties +# (See that file for details) +# +# The file format for password and access files is syntactically the same +# as the Properties file format. The syntax is described in the Javadoc +# for java.util.Properties.load. +# A typical access file has multiple lines, where each line is blank, +# a comment (like this one), or an access control entry. +# +# An access control entry consists of a role name, and an +# associated access level. The role name is any string that does not +# itself contain spaces or tabs. It corresponds to an entry in the +# password file (jmxremote.password). The access level is one of the +# following: +# "readonly" grants access to read attributes of MBeans. +# For monitoring, this means that a remote client in this +# role can read measurements but cannot perform any action +# that changes the environment of the running program. +# "readwrite" grants access to read and write attributes of MBeans, +# to invoke operations on them, and optionally +# to create or remove them. This access should be granted +# only to trusted clients, since they can potentially +# interfere with the smooth operation of a running program. +# +# The "readwrite" access level can optionally be followed by the "create" and/or +# "unregister" keywords. The "unregister" keyword grants access to unregister +# (delete) MBeans. The "create" keyword grants access to create MBeans of a +# particular class or of any class matching a particular pattern. Access +# should only be granted to create MBeans of known and trusted classes. +# +# For example, the following entry would grant readwrite access +# to "controlRole", as well as access to create MBeans of the class +# javax.management.monitor.CounterMonitor and to unregister any MBean: +# controlRole readwrite \ +# create javax.management.monitor.CounterMonitorMBean \ +# unregister +# or equivalently: +# controlRole readwrite unregister create javax.management.monitor.CounterMBean +# +# The following entry would grant readwrite access as well as access to create +# MBeans of any class in the packages javax.management.monitor and +# javax.management.timer: +# controlRole readwrite \ +# create javax.management.monitor.*,javax.management.timer.* \ +# unregister +# +# The \ character is defined in the Properties file syntax to allow continuation +# lines as shown here. A * in a class pattern matches a sequence of characters +# other than dot (.), so javax.management.monitor.* matches +# javax.management.monitor.CounterMonitor but not +# javax.management.monitor.foo.Bar. +# +# A given role should have at most one entry in this file. If a role +# has no entry, it has no access. +# If multiple entries are found for the same role name, then the last +# access entry is used. +# +# +# Default access control entries: +# o The "monitorRole" role has readonly access. +# o The "controlRole" role has readwrite access and can create the standard +# Timer and Monitor MBeans defined by the JMX API. + +monitorRole readonly +controlRole readwrite \ + create javax.management.monitor.*,javax.management.timer.* \ + unregister diff --git a/java-17-openjdk/management/management.properties b/java-17-openjdk/management/management.properties new file mode 100644 index 00000000..ecb08823 --- /dev/null +++ b/java-17-openjdk/management/management.properties @@ -0,0 +1,304 @@ +##################################################################### +# Default Configuration File for Java Platform Management +##################################################################### +# +# The Management Configuration file (in java.util.Properties format) +# will be read if one of the following system properties is set: +# -Dcom.sun.management.jmxremote.port= +# or -Dcom.sun.management.config.file= +# +# The default Management Configuration file is: +# +# $JRE/conf/management/management.properties +# +# Another location for the Management Configuration File can be specified +# by the following property on the Java command line: +# +# -Dcom.sun.management.config.file= +# +# If -Dcom.sun.management.config.file= is set, the port +# number for the management agent can be specified in the config file +# using the following lines: +# +# ################ Management Agent Port ######################### +# +# For setting the JMX RMI agent port use the following line +# com.sun.management.jmxremote.port= +# +# For setting the JMX local server port use the following line +# com.sun.management.jmxremote.local.port= + +##################################################################### +# Optional Instrumentation +##################################################################### +# +# By default only the basic instrumentation with low overhead is on. +# The following properties allow to selectively turn on optional +# instrumentation which are off by default and may have some +# additional overhead. +# +# com.sun.management.enableThreadContentionMonitoring +# +# This option enables thread contention monitoring if the +# Java virtual machine supports such instrumentation. +# Refer to the specification for the java.lang.management.ThreadMXBean +# interface - see isThreadContentionMonitoringSupported() method. +# + +# To enable thread contention monitoring, uncomment the following line +# com.sun.management.enableThreadContentionMonitoring + +##################################################################### +# RMI Management Properties +##################################################################### +# +# If system property -Dcom.sun.management.jmxremote.port= +# is set then +# - A MBean server is started +# - JRE Platform MBeans are registered in the MBean server +# - RMI connector is published in a private readonly registry at +# specified port using a well known name, "jmxrmi" +# - the following properties are read for JMX remote management. +# +# The configuration can be specified only at startup time. +# Later changes to above system property (e.g. via setProperty method), +# this config file, the password file, or the access file have no effect to the +# running MBean server, the connector, or the registry. +# + +# +# ########## RMI connector settings for local management ########## +# +# com.sun.management.jmxremote.local.only=true|false +# Default for this property is true. (Case for true/false ignored) +# If this property is specified as true then the local JMX RMI connector +# server will only accept connection requests from clients running on +# the host where the out-of-the-box JMX management agent is running. +# In order to ensure backwards compatibility this property could be +# set to false. However, deploying the local management agent in this +# way is discouraged because the local JMX RMI connector server will +# accept connection requests from any client either local or remote. +# For remote management the remote JMX RMI connector server should +# be used instead with authentication and SSL/TLS encryption enabled. +# + +# For allowing the local management agent accept local +# and remote connection requests use the following line +# com.sun.management.jmxremote.local.only=false + +# +# ###################### RMI SSL ############################# +# +# com.sun.management.jmxremote.ssl=true|false +# Default for this property is true. (Case for true/false ignored) +# If this property is specified as false then SSL is not used. +# + +# For RMI monitoring without SSL use the following line +# com.sun.management.jmxremote.ssl=false + +# com.sun.management.jmxremote.ssl.config.file=filepath +# Specifies the location of the SSL configuration file. A properties +# file can be used to supply the keystore and truststore location and +# password settings thus avoiding to pass them as cleartext in the +# command-line. +# +# The current implementation of the out-of-the-box management agent will +# look up and use the properties specified below to configure the SSL +# keystore and truststore, if present: +# javax.net.ssl.keyStore= +# javax.net.ssl.keyStorePassword= +# javax.net.ssl.trustStore= +# javax.net.ssl.trustStorePassword= +# Any other properties in the file will be ignored. This will allow us +# to extend the property set in the future if required by the default +# SSL implementation. +# +# If the property "com.sun.management.jmxremote.ssl" is set to false, +# then this property is ignored. +# + +# For supplying the keystore settings in a file use the following line +# com.sun.management.jmxremote.ssl.config.file=filepath + +# com.sun.management.jmxremote.ssl.enabled.cipher.suites= +# The value of this property is a string that is a comma-separated list +# of SSL/TLS cipher suites to enable. This property can be specified in +# conjunction with the previous property "com.sun.management.jmxremote.ssl" +# in order to control which particular SSL/TLS cipher suites are enabled +# for use by accepted connections. If this property is not specified then +# the SSL/TLS RMI Server Socket Factory uses the SSL/TLS cipher suites that +# are enabled by default. +# + +# com.sun.management.jmxremote.ssl.enabled.protocols= +# The value of this property is a string that is a comma-separated list +# of SSL/TLS protocol versions to enable. This property can be specified in +# conjunction with the previous property "com.sun.management.jmxremote.ssl" +# in order to control which particular SSL/TLS protocol versions are +# enabled for use by accepted connections. If this property is not +# specified then the SSL/TLS RMI Server Socket Factory uses the SSL/TLS +# protocol versions that are enabled by default. +# + +# com.sun.management.jmxremote.ssl.need.client.auth=true|false +# Default for this property is false. (Case for true/false ignored) +# If this property is specified as true in conjunction with the previous +# property "com.sun.management.jmxremote.ssl" then the SSL/TLS RMI Server +# Socket Factory will require client authentication. +# + +# For RMI monitoring with SSL client authentication use the following line +# com.sun.management.jmxremote.ssl.need.client.auth=true + +# com.sun.management.jmxremote.registry.ssl=true|false +# Default for this property is false. (Case for true/false ignored) +# If this property is specified as true then the RMI registry used +# to bind the RMIServer remote object is protected with SSL/TLS +# RMI Socket Factories that can be configured with the properties: +# com.sun.management.jmxremote.ssl.config.file +# com.sun.management.jmxremote.ssl.enabled.cipher.suites +# com.sun.management.jmxremote.ssl.enabled.protocols +# com.sun.management.jmxremote.ssl.need.client.auth +# If the two properties below are true at the same time, i.e. +# com.sun.management.jmxremote.ssl=true +# com.sun.management.jmxremote.registry.ssl=true +# then the RMIServer remote object and the RMI registry are +# both exported with the same SSL/TLS RMI Socket Factories. +# + +# For using an SSL/TLS protected RMI registry use the following line +# com.sun.management.jmxremote.registry.ssl=true + +# +# ################ RMI User authentication ################ +# +# com.sun.management.jmxremote.authenticate=true|false +# Default for this property is true. (Case for true/false ignored) +# If this property is specified as false then no authentication is +# performed and all users are allowed all access. +# + +# For RMI monitoring without any checking use the following line +# com.sun.management.jmxremote.authenticate=false + +# +# ################ RMI Login configuration ################### +# +# com.sun.management.jmxremote.login.config= +# Specifies the name of a JAAS login configuration entry to use when +# authenticating users of RMI monitoring. +# +# Setting this property is optional - the default login configuration +# specifies a file-based authentication that uses the password file. +# +# When using this property to override the default login configuration +# then the named configuration entry must be in a file that gets loaded +# by JAAS. In addition, the login module(s) specified in the configuration +# should use the name and/or password callbacks to acquire the user's +# credentials. See the NameCallback and PasswordCallback classes in the +# javax.security.auth.callback package for more details. +# +# If the property "com.sun.management.jmxremote.authenticate" is set to +# false, then this property and the password & access files are ignored. +# + +# For a non-default login configuration use the following line +# com.sun.management.jmxremote.login.config= + +# +# ################ RMI Password file location ################## +# +# com.sun.management.jmxremote.password.file=filepath +# Specifies location for password file +# This is optional - default location is +# $JRE/conf/management/jmxremote.password +# +# If the property "com.sun.management.jmxremote.authenticate" is set to +# false, then this property and the password & access files are ignored. +# Otherwise the password file must exist and be in the valid format. +# If the password file is empty or non-existent then no access is allowed. +# + +# For a non-default password file location use the following line +# com.sun.management.jmxremote.password.file=filepath + +# +# ################# Hash passwords in password file ############## +# com.sun.management.jmxremote.password.toHashes = true|false +# Default for this property is true. +# Specifies if passwords in the password file should be hashed or not. +# If this property is true, and if the password file is writable, and if the +# system security policy allows writing into the password file, +# all the clear passwords in the password file will be replaced by +# their SHA3-512 hash when the file is read by the server +# + +# +# ################ RMI Access file location ##################### +# +# com.sun.management.jmxremote.access.file=filepath +# Specifies location for access file +# This is optional - default location is +# $JRE/conf/management/jmxremote.access +# +# If the property "com.sun.management.jmxremote.authenticate" is set to +# false, then this property and the password & access files are ignored. +# Otherwise, the access file must exist and be in the valid format. +# If the access file is empty or non-existent then no access is allowed. +# + +# For a non-default password file location use the following line +# com.sun.management.jmxremote.access.file=filepath +# + +# ################ Management agent listen interface ######################### +# +# com.sun.management.jmxremote.host= +# Specifies the local interface on which the JMX RMI agent will bind. +# This is useful when running on machines which have several +# interfaces defined. It makes it possible to listen to a specific +# subnet accessible through that interface. +# +# The format of the value for that property is any string accepted +# by java.net.InetAddress.getByName(String). +# + +# ################ Filter for ObjectInputStream ############################# +# com.sun.management.jmxremote.serial.filter.pattern= +# A filter, if configured, is used by java.io.ObjectInputStream during +# deserialization of parameters sent to the JMX default agent to validate the +# contents of the stream. +# A filter is configured as a sequence of patterns, each pattern is either +# matched against the name of a class in the stream or defines a limit. +# Patterns are separated by ";" (semicolon). +# Whitespace is significant and is considered part of the pattern. +# +# If a pattern includes a "=", it sets a limit. +# If a limit appears more than once the last value is used. +# Limits are checked before classes regardless of the order in the sequence of patterns. +# If any of the limits are exceeded, the filter status is REJECTED. +# +# maxdepth=value - the maximum depth of a graph +# maxrefs=value - the maximum number of internal references +# maxbytes=value - the maximum number of bytes in the input stream +# maxarray=value - the maximum array length allowed +# +# Other patterns, from left to right, match the class or package name as +# returned from Class.getName. +# If the class is an array type, the class or package to be matched is the element type. +# Arrays of any number of dimensions are treated the same as the element type. +# For example, a pattern of "!example.Foo", rejects creation of any instance or +# array of example.Foo. +# +# If the pattern starts with "!", the status is REJECTED if the remaining pattern +# is matched; otherwise the status is ALLOWED if the pattern matches. +# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; +# if the module name matches the module name of the class then +# the remaining pattern is matched with the class name. +# If there is no "/", the module name is not compared. +# If the pattern ends with ".**" it matches any class in the package and all subpackages. +# If the pattern ends with ".*" it matches any class in the package. +# If the pattern ends with "*", it matches any class with the pattern as a prefix. +# If the pattern is equal to the class name, it matches. +# Otherwise, the status is UNDECIDED. diff --git a/java-17-openjdk/net.properties b/java-17-openjdk/net.properties new file mode 100644 index 00000000..9cefdff4 --- /dev/null +++ b/java-17-openjdk/net.properties @@ -0,0 +1,147 @@ +############################################################ +# Default Networking Configuration File +# +# This file may contain default values for the networking system properties. +# These values are only used when the system properties are not specified +# on the command line or set programmatically. +# For now, only the various proxy settings can be configured here. +############################################################ + +# Whether or not the DefaultProxySelector will default to System Proxy +# settings when they do exist. +# Set it to 'true' to enable this feature and check for platform +# specific proxy settings +# Note that the system properties that do explicitly set proxies +# (like http.proxyHost) do take precedence over the system settings +# even if java.net.useSystemProxies is set to true. + +java.net.useSystemProxies=false + +#------------------------------------------------------------------------ +# Proxy configuration for the various protocol handlers. +# DO NOT uncomment these lines if you have set java.net.useSystemProxies +# to true as the protocol specific properties will take precedence over +# system settings. +#------------------------------------------------------------------------ + +# HTTP Proxy settings. proxyHost is the name of the proxy server +# (e.g. proxy.mydomain.com), proxyPort is the port number to use (default +# value is 80) and nonProxyHosts is a '|' separated list of hostnames which +# should be accessed directly, ignoring the proxy server (default value is +# localhost & 127.0.0.1). +# +# http.proxyHost= +# http.proxyPort=80 +http.nonProxyHosts=localhost|127.*|[::1] +# +# HTTPS Proxy Settings. proxyHost is the name of the proxy server +# (e.g. proxy.mydomain.com), proxyPort is the port number to use (default +# value is 443). The HTTPS protocol handlers uses the http nonProxyHosts list. +# +# https.proxyHost= +# https.proxyPort=443 +# +# FTP Proxy settings. proxyHost is the name of the proxy server +# (e.g. proxy.mydomain.com), proxyPort is the port number to use (default +# value is 80) and nonProxyHosts is a '|' separated list of hostnames which +# should be accessed directly, ignoring the proxy server (default value is +# localhost & 127.0.0.1). +# +# ftp.proxyHost= +# ftp.proxyPort=80 +ftp.nonProxyHosts=localhost|127.*|[::1] +# +# Socks proxy settings. socksProxyHost is the name of the proxy server +# (e.g. socks.domain.com), socksProxyPort is the port number to use +# (default value is 1080) +# +# socksProxyHost= +# socksProxyPort=1080 +# +# HTTP Keep Alive settings. remainingData is the maximum amount of data +# in kilobytes that will be cleaned off the underlying socket so that it +# can be reused (default value is 512K), queuedConnections is the maximum +# number of Keep Alive connections to be on the queue for clean up (default +# value is 10). +# http.KeepAlive.remainingData=512 +# http.KeepAlive.queuedConnections=10 + +# Authentication Scheme restrictions for HTTP and HTTPS. +# +# In some environments certain authentication schemes may be undesirable +# when proxying HTTP or HTTPS. For example, "Basic" results in effectively the +# cleartext transmission of the user's password over the physical network. +# This section describes the mechanism for disabling authentication schemes +# based on the scheme name. Disabled schemes will be treated as if they are not +# supported by the implementation. +# +# The 'jdk.http.auth.tunneling.disabledSchemes' property lists the authentication +# schemes that will be disabled when tunneling HTTPS over a proxy, HTTP CONNECT. +# The 'jdk.http.auth.proxying.disabledSchemes' property lists the authentication +# schemes that will be disabled when proxying HTTP. +# +# In both cases the property is a comma-separated list of, case-insensitive, +# authentication scheme names, as defined by their relevant RFCs. An +# implementation may, but is not required to, support common schemes whose names +# include: 'Basic', 'Digest', 'NTLM', 'Kerberos', 'Negotiate'. A scheme that +# is not known, or not supported, by the implementation is ignored. +# +# Note: This property is currently used by the JDK Reference implementation. It +# is not guaranteed to be examined and used by other implementations. +# +#jdk.http.auth.proxying.disabledSchemes= +jdk.http.auth.tunneling.disabledSchemes=Basic + +# +# Allow restricted HTTP request headers +# +# By default, the following request headers are not allowed to be set by user code +# in HttpRequests: "connection", "content-length", "expect", "host" and "upgrade". +# The 'jdk.httpclient.allowRestrictedHeaders' property allows one or more of these +# headers to be specified as a comma separated list to override the default restriction. +# The names are case-insensitive and white-space is ignored (removed before processing +# the list). Note, this capability is mostly intended for testing and isn't expected +# to be used in real deployments. Protocol errors or other undefined behavior is likely +# to occur when using them. The property is not set by default. +# Note also, that there may be other headers that are restricted from being set +# depending on the context. This includes the "Authorization" header when the +# relevant HttpClient has an authenticator set. These restrictions cannot be +# overridden by this property. +# +# jdk.httpclient.allowRestrictedHeaders=host +# +# +# Transparent NTLM HTTP authentication mode on Windows. Transparent authentication +# can be used for the NTLM scheme, where the security credentials based on the +# currently logged in user's name and password can be obtained directly from the +# operating system, without prompting the user. This property has three possible +# values which regulate the behavior as shown below. Other unrecognized values +# are handled the same as 'disabled'. Note, that NTLM is not considered to be a +# strongly secure authentication scheme and care should be taken before enabling +# this mechanism. +# +# Transparent authentication never used. +#jdk.http.ntlm.transparentAuth=disabled +# +# Enabled for all hosts. +#jdk.http.ntlm.transparentAuth=allHosts +# +# Enabled for hosts that are trusted in Windows Internet settings +#jdk.http.ntlm.transparentAuth=trustedHosts +# +jdk.http.ntlm.transparentAuth=disabled +# +# Default directory where automatically bound Unix domain server +# sockets are stored. Sockets are automatically bound when bound +# with a null address. +# +# On Unix the search order to determine this directory is: +# +# 1. System property jdk.net.unixdomain.tmpdir +# +# 2. Networking property jdk.net.unixdomain.tmpdir specified +# in this file (effective default) +# +# 3. System property java.io.tmpdir +# +jdk.net.unixdomain.tmpdir=/tmp diff --git a/java-17-openjdk/psfont.properties.ja b/java-17-openjdk/psfont.properties.ja new file mode 100644 index 00000000..d17cf40d --- /dev/null +++ b/java-17-openjdk/psfont.properties.ja @@ -0,0 +1,119 @@ +# +# +# Copyright (c) 1996, 2000, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# +# Japanese PostScript printer property file +# +font.num=16 +# +serif=serif +timesroman=serif +sansserif=sansserif +helvetica=sansserif +monospaced=monospaced +courier=monospaced +dialog=sansserif +dialoginput=monospaced +# +serif.latin1.plain=Times-Roman +serif.latin1.italic=Times-Italic +serif.latin1.bolditalic=Times-BoldItalic +serif.latin1.bold=Times-Bold +# +sansserif.latin1.plain=Helvetica +sansserif.latin1.italic=Helvetica-Oblique +sansserif.latin1.bolditalic=Helvetica-BoldOblique +sansserif.latin1.bold=Helvetica-Bold +# +monospaced.latin1.plain=Courier +monospaced.latin1.italic=Courier-Oblique +monospaced.latin1.bolditalic=Courier-BoldOblique +monospaced.latin1.bold=Courier-Bold +# +serif.x11jis0208.plain=Ryumin-Light-H +serif.x11jis0208.italic=Ryumin-Light-H +serif.x11jis0208.bolditalic=Ryumin-Light-H +serif.x11jis0208.bold=Ryumin-Light-H +# +sansserif.x11jis0208.plain=GothicBBB-Medium-H +sansserif.x11jis0208.italic=GothicBBB-Medium-H +sansserif.x11jis0208.bolditalic=GothicBBB-Medium-H +sansserif.x11jis0208.bold=GothicBBB-Medium-H +# +monospaced.x11jis0208.plain=GothicBBB-Medium-H +monospaced.x11jis0208.italic=GothicBBB-Medium-H +monospaced.x11jis0208.bolditalic=GothicBBB-Medium-H +monospaced.x11jis0208.bold=GothicBBB-Medium-H +# +serif.x11jis0201.plain=Ryumin-Light.Hankaku +serif.x11jis0201.italic=Ryumin-Light.Hankaku +serif.x11jis0201.bolditalic=Ryumin-Light.Hankaku +serif.x11jis0201.bold=Ryumin-Light.Hankaku +# +sansserif.x11jis0201.plain=GothicBBB-Medium.Hankaku +sansserif.x11jis0201.italic=GothicBBB-Medium.Hankaku +sansserif.x11jis0201.bolditalic=GothicBBB-Medium.Hankaku +sansserif.x11jis0201.bold=GothicBBB-Medium.Hankaku +# +monospaced.x11jis0201.plain=GothicBBB-Medium.Hankaku +monospaced.x11jis0201.italic=GothicBBB-Medium.Hankaku +monospaced.x11jis0201.bolditalic=GothicBBB-Medium.Hankaku +monospaced.x11jis0201.bold=GothicBBB-Medium.Hankaku +# +Helvetica=0 +Helvetica-Bold=1 +Helvetica-Oblique=2 +Helvetica-BoldOblique=3 +Times-Roman=4 +Times-Bold=5 +Times-Italic=6 +Times-BoldItalic=7 +Courier=8 +Courier-Bold=9 +Courier-Oblique=10 +Courier-BoldOblique=11 +GothicBBB-Medium-H=12 +Ryumin-Light-H=13 +GothicBBB-Medium.Hankaku=14 +Ryumin-Light.Hankaku=15 +# +font.0=Helvetica ISOF +font.1=Helvetica-Bold ISOF +font.2=Helvetica-Oblique ISOF +font.3=Helvetica-BoldOblique ISOF +font.4=Times-Roman ISOF +font.5=Times-Bold ISOF +font.6=Times-Italic ISOF +font.7=Times-BoldItalic ISOF +font.8=Courier ISOF +font.9=Courier-Bold ISOF +font.10=Courier-Oblique ISOF +font.11=Courier-BoldOblique ISOF +font.12=GothicBBB-Medium-H findfont +font.13=Ryumin-Light-H findfont +font.14=GothicBBB-Medium.Hankaku findfont +font.15=Ryumin-Light.Hankaku findfont +# diff --git a/java-17-openjdk/psfontj2d.properties b/java-17-openjdk/psfontj2d.properties new file mode 100644 index 00000000..5eb2c4b8 --- /dev/null +++ b/java-17-openjdk/psfontj2d.properties @@ -0,0 +1,323 @@ +# +# +# Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. + +# +# PostScript printer property file for Java 2D printing. +# +# WARNING: This is an internal implementation file, not a public file. +# Any customisation or reliance on the existence of this file and its +# contents or syntax is discouraged and unsupported. +# It may be incompatibly changed or removed without any notice. +# +# +font.num=35 +# +# Legacy logical font family names and logical font aliases should all +# map to the primary logical font names. +# +serif=serif +times=serif +timesroman=serif +sansserif=sansserif +helvetica=sansserif +dialog=sansserif +dialoginput=monospaced +monospaced=monospaced +courier=monospaced +# +# Next, physical fonts which can be safely mapped to standard postscript fonts +# These keys generally map to a value which is the same as the key, so +# the key/value is just a way to say the font has a mapping. +# Sometimes however we map more than one screen font to the same PS font. +# +avantgarde=avantgarde_book +avantgarde_book=avantgarde_book +avantgarde_demi=avantgarde_demi +avantgarde_book_oblique=avantgarde_book_oblique +avantgarde_demi_oblique=avantgarde_demi_oblique +# +itcavantgarde=avantgarde_book +itcavantgarde=avantgarde_book +itcavantgarde_demi=avantgarde_demi +itcavantgarde_oblique=avantgarde_book_oblique +itcavantgarde_demi_oblique=avantgarde_demi_oblique +# +bookman=bookman_light +bookman_light=bookman_light +bookman_demi=bookman_demi +bookman_light_italic=bookman_light_italic +bookman_demi_italic=bookman_demi_italic +# +# Exclude "helvetica" on its own as that's a legacy name for a logical font +helvetica_bold=helvetica_bold +helvetica_oblique=helvetica_oblique +helvetica_bold_oblique=helvetica_bold_oblique +# +itcbookman_light=bookman_light +itcbookman_demi=bookman_demi +itcbookman_light_italic=bookman_light_italic +itcbookman_demi_italic=bookman_demi_italic +# +# Exclude "courier" on its own as that's a legacy name for a logical font +courier_bold=courier_bold +courier_oblique=courier_oblique +courier_bold_oblique=courier_bold_oblique +# +courier_new=courier +courier_new_bold=courier_bold +# +monotype_century_schoolbook=newcenturyschoolbook +monotype_century_schoolbook_bold=newcenturyschoolbook_bold +monotype_century_schoolbook_italic=newcenturyschoolbook_italic +monotype_century_schoolbook_bold_italic=newcenturyschoolbook_bold_italic +# +newcenturyschoolbook=newcenturyschoolbook +newcenturyschoolbook_bold=newcenturyschoolbook_bold +newcenturyschoolbook_italic=newcenturyschoolbook_italic +newcenturyschoolbook_bold_italic=newcenturyschoolbook_bold_italic +# +palatino=palatino +palatino_bold=palatino_bold +palatino_italic=palatino_italic +palatino_bold_italic=palatino_bold_italic +# +# Exclude "times" on its own as that's a legacy name for a logical font +times_bold=times_roman_bold +times_italic=times_roman_italic +times_bold_italic=times_roman_bold_italic +# +times_roman=times_roman +times_roman_bold=times_roman_bold +times_roman_italic=times_roman_italic +times_roman_bold_italic=times_roman_bold_italic +# +times_new_roman=times_roman +times_new_roman_bold=times_roman_bold +times_new_roman_italic=times_roman_italic +times_new_roman_bold_italic=times_roman_bold_italic +# +zapfchancery_italic=zapfchancery_italic +itczapfchancery_italic=zapfchancery_italic +# +# Next the mapping of the font name + charset + style to Postscript font name +# for the logical fonts. +# +serif.latin1.plain=Times-Roman +serif.latin1.bold=Times-Bold +serif.latin1.italic=Times-Italic +serif.latin1.bolditalic=Times-BoldItalic +serif.symbol.plain=Symbol +serif.dingbats.plain=ZapfDingbats +serif.symbol.bold=Symbol +serif.dingbats.bold=ZapfDingbats +serif.symbol.italic=Symbol +serif.dingbats.italic=ZapfDingbats +serif.symbol.bolditalic=Symbol +serif.dingbats.bolditalic=ZapfDingbats +# +sansserif.latin1.plain=Helvetica +sansserif.latin1.bold=Helvetica-Bold +sansserif.latin1.italic=Helvetica-Oblique +sansserif.latin1.bolditalic=Helvetica-BoldOblique +sansserif.symbol.plain=Symbol +sansserif.dingbats.plain=ZapfDingbats +sansserif.symbol.bold=Symbol +sansserif.dingbats.bold=ZapfDingbats +sansserif.symbol.italic=Symbol +sansserif.dingbats.italic=ZapfDingbats +sansserif.symbol.bolditalic=Symbol +sansserif.dingbats.bolditalic=ZapfDingbats +# +monospaced.latin1.plain=Courier +monospaced.latin1.bold=Courier-Bold +monospaced.latin1.italic=Courier-Oblique +monospaced.latin1.bolditalic=Courier-BoldOblique +monospaced.symbol.plain=Symbol +monospaced.dingbats.plain=ZapfDingbats +monospaced.symbol.bold=Symbol +monospaced.dingbats.bold=ZapfDingbats +monospaced.symbol.italic=Symbol +monospaced.dingbats.italic=ZapfDingbats +monospaced.symbol.bolditalic=Symbol +monospaced.dingbats.bolditalic=ZapfDingbats +# +# Next the mapping of the font name + charset + style to Postscript font name +# for the physical fonts. Since these always report style as plain, the +# style key is always plain. So we map using the face name to the correct +# style for the postscript font. This is possible since the face names can +# be replied upon to be different for each style. +# However an application may try to create a Font applying a style to an +# physical name. We want to map to the correct Postscript font there too +# if possible but we do not map cases where the application tries to +# augment a style (eg ask for a bold version of a bold font) +# Defer to the 2D package to attempt create an artificially styled version +# +avantgarde_book.latin1.plain=AvantGarde-Book +avantgarde_demi.latin1.plain=AvantGarde-Demi +avantgarde_book_oblique.latin1.plain=AvantGarde-BookOblique +avantgarde_demi_oblique.latin1.plain=AvantGarde-DemiOblique +# +avantgarde_book.latin1.bold=AvantGarde-Demi +avantgarde_book.latin1.italic=AvantGarde-BookOblique +avantgarde_book.latin1.bolditalic=AvantGarde-DemiOblique +avantgarde_demi.latin1.italic=AvantGarde-DemiOblique +avantgarde_book_oblique.latin1.bold=AvantGarde-DemiOblique +# +bookman_light.latin1.plain=Bookman-Light +bookman_demi.latin1.plain=Bookman-Demi +bookman_light_italic.latin1.plain=Bookman-LightItalic +bookman_demi_italic.latin1.plain=Bookman-DemiItalic +# +bookman_light.latin1.bold=Bookman-Demi +bookman_light.latin1.italic=Bookman-LightItalic +bookman_light.latin1.bolditalic=Bookman-DemiItalic +bookman_light_bold.latin1.italic=Bookman-DemiItalic +bookman_light_italic.latin1.bold=Bookman-DemiItalic +# +courier.latin1.plain=Courier +courier_bold.latin1.plain=Courier-Bold +courier_oblique.latin1.plain=Courier-Oblique +courier_bold_oblique.latin1.plain=Courier-BoldOblique +courier.latin1.bold=Courier-Bold +courier.latin1.italic=Courier-Oblique +courier.latin1.bolditalic=Courier-BoldOblique +courier_bold.latin1.italic=Courier-BoldOblique +courier_italic.latin1.bold=Courier-BoldOblique +# +helvetica_bold.latin1.plain=Helvetica-Bold +helvetica_oblique.latin1.plain=Helvetica-Oblique +helvetica_bold_oblique.latin1.plain=Helvetica-BoldOblique +helvetica.latin1.bold=Helvetica-Bold +helvetica.latin1.italic=Helvetica-Oblique +helvetica.latin1.bolditalic=Helvetica-BoldOblique +helvetica_bold.latin1.italic=Helvetica-BoldOblique +helvetica_italic.latin1.bold=Helvetica-BoldOblique +# +newcenturyschoolbook.latin1.plain=NewCenturySchlbk-Roman +newcenturyschoolbook_bold.latin1.plain=NewCenturySchlbk-Bold +newcenturyschoolbook_italic.latin1.plain=NewCenturySchlbk-Italic +newcenturyschoolbook_bold_italic.latin1.plain=NewCenturySchlbk-BoldItalic +newcenturyschoolbook.latin1.bold=NewCenturySchlbk-Bold +newcenturyschoolbook.latin1.italic=NewCenturySchlbk-Italic +newcenturyschoolbook.latin1.bolditalic=NewCenturySchlbk-BoldItalic +newcenturyschoolbook_bold.latin1.italic=NewCenturySchlbk-BoldItalic +newcenturyschoolbook_italic.latin1.bold=NewCenturySchlbk-BoldItalic +# +palatino.latin1.plain=Palatino-Roman +palatino_bold.latin1.plain=Palatino-Bold +palatino_italic.latin1.plain=Palatino-Italic +palatino_bold_italic.latin1.plain=Palatino-BoldItalic +palatino.latin1.bold=Palatino-Bold +palatino.latin1.italic=Palatino-Italic +palatino.latin1.bolditalic=Palatino-BoldItalic +palatino_bold.latin1.italic=Palatino-BoldItalic +palatino_italic.latin1.bold=Palatino-BoldItalic +# +times_roman.latin1.plain=Times-Roman +times_roman_bold.latin1.plain=Times-Bold +times_roman_italic.latin1.plain=Times-Italic +times_roman_bold_italic.latin1.plain=Times-BoldItalic +times_roman.latin1.bold=Times-Bold +times_roman.latin1.italic=Times-Italic +times_roman.latin1.bolditalic=Times-BoldItalic +times_roman_bold.latin1.italic=Times-BoldItalic +times_roman_italic.latin1.bold=Times-BoldItalic +# +zapfchancery_italic.latin1.plain=ZapfChancery-MediumItalic +# +# Finally the mappings of PS font names to indexes. +# +AvantGarde-Book=0 +AvantGarde-BookOblique=1 +AvantGarde-Demi=2 +AvantGarde-DemiOblique=3 +Bookman-Demi=4 +Bookman-DemiItalic=5 +Bookman-Light=6 +Bookman-LightItalic=7 +Courier=8 +Courier-Bold=9 +Courier-BoldOblique=10 +Courier-Oblique=11 +Helvetica=12 +Helvetica-Bold=13 +Helvetica-BoldOblique=14 +Helvetica-Narrow=15 +Helvetica-Narrow-Bold=16 +Helvetica-Narrow-BoldOblique=17 +Helvetica-Narrow-Oblique=18 +Helvetica-Oblique=19 +NewCenturySchlbk-Bold=20 +NewCenturySchlbk-BoldItalic=21 +NewCenturySchlbk-Italic=22 +NewCenturySchlbk-Roman=23 +Palatino-Bold=24 +Palatino-BoldItalic=25 +Palatino-Italic=26 +Palatino-Roman=27 +Symbol=28 +Times-Bold=29 +Times-BoldItalic=30 +Times-Italic=31 +Times-Roman=32 +ZapfDingbats=33 +ZapfChancery-MediumItalic=34 +# +font.0=AvantGarde-Book ISOF +font.1=AvantGarde-BookOblique ISOF +font.2=AvantGarde-Demi ISOF +font.3=AvantGarde-DemiOblique ISOF +font.4=Bookman-Demi ISOF +font.5=Bookman-DemiItalic ISOF +font.6=Bookman-Light ISOF +font.7=Bookman-LightItalic ISOF +font.8=Courier ISOF +font.9=Courier-Bold ISOF +font.10=Courier-BoldOblique ISOF +font.11=Courier-Oblique ISOF +font.12=Helvetica ISOF +font.13=Helvetica-Bold ISOF +font.14=Helvetica-BoldOblique ISOF +font.15=Helvetica-Narrow ISOF +font.16=Helvetica-Narrow-Bold ISOF +font.17=Helvetica-Narrow-BoldOblique ISOF +font.18=Helvetica-Narrow-Oblique ISOF +font.19=Helvetica-Oblique ISOF +font.20=NewCenturySchlbk-Bold ISOF +font.21=NewCenturySchlbk-BoldItalic ISOF +font.22=NewCenturySchlbk-Italic ISOF +font.23=NewCenturySchlbk-Roman ISOF +font.24=Palatino-Bold ISOF +font.25=Palatino-BoldItalic ISOF +font.26=Palatino-Italic ISOF +font.27=Palatino-Roman ISOF +font.28=Symbol findfont +font.29=Times-Bold ISOF +font.30=Times-BoldItalic ISOF +font.31=Times-Italic ISOF +font.32=Times-Roman ISOF +font.33=ZapfDingbats findfont +font.34=ZapfChancery-MediumItalic ISOF +# diff --git a/java-17-openjdk/security/blocked.certs b/java-17-openjdk/security/blocked.certs new file mode 100644 index 00000000..beded9ed --- /dev/null +++ b/java-17-openjdk/security/blocked.certs @@ -0,0 +1,39 @@ +Algorithm=SHA-256 +03DB9E5E79FE6117177F81C11595AF598CB176AF766290DBCEB2C318B32E39A2 +08C396C006A21055D00826A5781A5CCFCE2C8D053AB3C197637A4A7A5BB9A650 +14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD +1C5E6985ACC09221DBD1A4B7BBC6D3A8C3F8540D19F20763A9537FDD42B4FFE7 +1F6BF8A3F2399AF7FD04516C2719C566CBAD51F412738F66D0457E1E6BDE6F2D +2A464E4113141352C7962FBD1706ED4B88533EF24D7BBA6CCC5D797FD202F1C4 +31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133 +3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66 +3E11CF90719F6FB44D94EAC9A156B89BEBE7B8598F28EC58913F2BFCAF91D0C0 +423279423B9FC8CB06F1BB7C3B247522B948D5F18939F378ECC901126DE40BFB +450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2 +4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE +4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176 +535D04DFCE027C70BD5F8A9E0AD4F218E9AFDCF5BBCF9B6DE0D81E148E2E3172 +568FAF38D9F155F624838E2181B1CEB4D8459305EE652B0F810C97C3611BFE19 +585CFE6B7436CBD4E732763A2137D7F49599BA9B1790E688FCEC799C58EB84A6 +5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B +71CB00749B9130FB2707A2664BFF958D0FCC8E161D9674C7450BA0FC2BEAF9D3 +76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645 +8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF +9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC +9FADCE80D62A959F9930D748488C1E22E821F4E1E4A43584B848C2FC11E04D77 +A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083 +A90132CEA1D4F7185E4F688EFFD16F6AC14DFD78356A807599A5DABBEEF3333E +B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD +C0D1F42B9F4BF7ACC045B7BB5D4805E10737F67B6310CE505248D543D0D5FE07 +D0156949F1381943442C6974E9B5B49EF441BB799EF20477B90A89C3F33620CE +D151962D954970501C60079258EBCFA38502E0A9F03CD640322B08C0A3117FE5 +D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F +D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967 +D6CEAE5D9E047FAF7D797858D229AC991AD44316D1E2A37A21926D763153593A +DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE +E0E740E4B0F8B3548181FF75B5372FAF4C70B99EC995D694ED0FB91B03FF8D21 +EC30C9C3065A06BB07DC5B1C6B497F370C1CA65C0F30C08E042BA6BCECC78F2C +F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7 +FBB12938ABD86C125796EDF4162D291028890A7D6C0C1CCA75FD4B95EBFA7A1A +FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD +FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B diff --git a/java-17-openjdk/security/default.policy b/java-17-openjdk/security/default.policy new file mode 100644 index 00000000..b22f2694 --- /dev/null +++ b/java-17-openjdk/security/default.policy @@ -0,0 +1,225 @@ +// +// Permissions required by modules stored in a run-time image and loaded +// by the platform class loader. +// +// NOTE that this file is not intended to be modified. If additional +// permissions need to be granted to the modules in this file, it is +// recommended that they be configured in a separate policy file or +// ${java.home}/conf/security/java.policy. +// + + +grant codeBase "jrt:/java.compiler" { + permission java.security.AllPermission; +}; + + +grant codeBase "jrt:/java.net.http" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.net"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.net.util"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.net.SocketPermission "*","connect,resolve"; + permission java.net.URLPermission "http:*","*:*"; + permission java.net.URLPermission "https:*","*:*"; + permission java.net.URLPermission "ws:*","*:*"; + permission java.net.URLPermission "wss:*","*:*"; + permission java.net.URLPermission "socket:*","CONNECT"; // proxy + // For request/response body processors, fromFile, asFile + permission java.io.FilePermission "<>","read,write,delete"; + permission java.util.PropertyPermission "*","read"; + permission java.net.NetPermission "getProxySelector"; +}; + +grant codeBase "jrt:/java.scripting" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/java.security.jgss" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/java.smartcardio" { + permission javax.smartcardio.CardPermission "*", "*"; + permission java.lang.RuntimePermission "loadLibrary.j2pcsc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.jca"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.util"; + permission java.util.PropertyPermission + "javax.smartcardio.TerminalFactory.DefaultType", "read"; + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "sun.arch.data.model", "read"; + permission java.util.PropertyPermission + "sun.security.smartcardio.library", "read"; + permission java.util.PropertyPermission + "sun.security.smartcardio.t0GetResponse", "read"; + permission java.util.PropertyPermission + "sun.security.smartcardio.t1GetResponse", "read"; + permission java.util.PropertyPermission + "sun.security.smartcardio.t1StripLe", "read"; + // needed for looking up native PC/SC library + permission java.io.FilePermission "<>","read"; + permission java.security.SecurityPermission "putProviderProperty.SunPCSC"; + permission java.security.SecurityPermission + "clearProviderProperties.SunPCSC"; + permission java.security.SecurityPermission + "removeProviderProperty.SunPCSC"; +}; + +grant codeBase "jrt:/java.sql" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/java.sql.rowset" { + permission java.security.AllPermission; +}; + + +grant codeBase "jrt:/java.xml.crypto" { + permission java.lang.RuntimePermission + "getStackWalkerWithClassReference"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.util"; + permission java.util.PropertyPermission "*", "read"; + permission java.security.SecurityPermission "putProviderProperty.XMLDSig"; + permission java.security.SecurityPermission + "clearProviderProperties.XMLDSig"; + permission java.security.SecurityPermission + "removeProviderProperty.XMLDSig"; + permission java.security.SecurityPermission + "com.sun.org.apache.xml.internal.security.register"; + permission java.security.SecurityPermission + "getProperty.jdk.xml.dsig.secureValidationPolicy"; + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.org.apache.xml.internal.*"; + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.org.apache.xpath.internal"; + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.org.apache.xpath.internal.*"; + permission java.io.FilePermission "<>","read"; + permission java.net.SocketPermission "*", "connect,resolve"; +}; + + +grant codeBase "jrt:/jdk.accessibility" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.awt"; +}; + +grant codeBase "jrt:/jdk.charsets" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.lang.RuntimePermission "charsetProvider"; + permission java.lang.RuntimePermission + "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission + "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.cs"; +}; + +grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; + permission java.security.SecurityPermission "removeProviderProperty.SunEC"; +}; + +grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; + permission java.lang.RuntimePermission "loadLibrary.j2pkcs11"; + permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read"; + permission java.util.PropertyPermission "sun.security.pkcs11.disableKeyExtraction", "read"; + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; + permission java.security.SecurityPermission + "getProperty.auth.login.defaultCallbackHandler"; + permission java.security.SecurityPermission "authProvider.*"; + // Needed for reading PKCS11 config file and NSS library check + permission java.io.FilePermission "<>", "read"; +}; + +grant codeBase "jrt:/jdk.dynalink" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.httpserver" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.internal.le" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.internal.vm.compiler" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.internal.vm.compiler.management" { + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.compiler.collections"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.vm.ci.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.vm.ci.services"; + permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.core.common"; + permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.debug"; + permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.hotspot"; + permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.options"; + permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.phases.common.jmx"; + permission java.lang.RuntimePermission "accessClassInPackage.org.graalvm.compiler.serviceprovider"; +}; + +grant codeBase "jrt:/jdk.jsobject" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.localedata" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.text.*"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.*"; +}; + +grant codeBase "jrt:/jdk.naming.dns" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.scripting.nashorn" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.scripting.nashorn.shell" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.security.auth" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.security.jgss" { + permission java.security.AllPermission; +}; + +grant codeBase "jrt:/jdk.zipfs" { + permission java.io.FilePermission "<>", "read,write,delete"; + permission java.lang.RuntimePermission "fileSystemProvider"; + permission java.lang.RuntimePermission "accessUserInformation"; + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "user.dir", "read"; + permission java.util.PropertyPermission "user.name", "read"; +}; + +// permissions needed by applications using java.desktop module +grant { + permission java.lang.RuntimePermission "accessClassInPackage.com.sun.beans"; + permission java.lang.RuntimePermission "accessClassInPackage.com.sun.beans.*"; + permission java.lang.RuntimePermission "accessClassInPackage.com.sun.java.swing.plaf.*"; + permission java.lang.RuntimePermission "accessClassInPackage.com.apple.*"; +}; diff --git a/java-17-openjdk/security/java.policy b/java-17-openjdk/security/java.policy new file mode 100644 index 00000000..1554541d --- /dev/null +++ b/java-17-openjdk/security/java.policy @@ -0,0 +1,44 @@ +// +// This system policy file grants a set of default permissions to all domains +// and can be configured to grant additional permissions to modules and other +// code sources. The code source URL scheme for modules linked into a +// run-time image is "jrt". +// +// For example, to grant permission to read the "foo" property to the module +// "com.greetings", the grant entry is: +// +// grant codeBase "jrt:/com.greetings" { +// permission java.util.PropertyPermission "foo", "read"; +// }; +// + +// default permissions granted to all domains +grant { + // allows anyone to listen on dynamic ports + permission java.net.SocketPermission "localhost:0", "listen"; + + // "standard" properies that can be read by anyone + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + permission java.util.PropertyPermission + "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + permission java.util.PropertyPermission + "java.vm.specification.version", "read"; + permission java.util.PropertyPermission + "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission + "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; +}; diff --git a/java-17-openjdk/security/java.security b/java-17-openjdk/security/java.security new file mode 100644 index 00000000..cab50bb4 --- /dev/null +++ b/java-17-openjdk/security/java.security @@ -0,0 +1,1356 @@ +# +# This is the "master security properties file". +# +# An alternate java.security properties file may be specified +# from the command line via the system property +# +# -Djava.security.properties= +# +# This properties file appends to the master security properties file. +# If both properties files specify values for the same key, the value +# from the command-line properties file is selected, as it is the last +# one loaded. +# +# Also, if you specify +# +# -Djava.security.properties== (2 equals), +# +# then that properties file completely overrides the master security +# properties file. +# +# To disable the ability to specify an additional properties file from +# the command line, set the key security.overridePropertiesFile +# to false in the master security properties file. It is set to true +# by default. + +# In this file, various security properties are set for use by +# java.security classes. This is where users can statically register +# Cryptography Package Providers ("providers" for short). The term +# "provider" refers to a package or set of packages that supply a +# concrete implementation of a subset of the cryptography aspects of +# the Java Security API. A provider may, for example, implement one or +# more digital signature algorithms or message digest algorithms. +# +# Each provider must implement a subclass of the Provider class. +# To register a provider in this master security properties file, +# specify the provider and priority in the format +# +# security.provider.= +# +# This declares a provider, and specifies its preference +# order n. The preference order is the order in which providers are +# searched for requested algorithms (when no specific provider is +# requested). The order is 1-based; 1 is the most preferred, followed +# by 2, and so on. +# +# must specify the name of the Provider as passed to its super +# class java.security.Provider constructor. This is for providers loaded +# through the ServiceLoader mechanism. +# +# must specify the subclass of the Provider class whose +# constructor sets the values of various properties that are required +# for the Java Security API to look up the algorithms or other +# facilities implemented by the provider. This is for providers loaded +# through classpath. +# +# Note: Providers can be dynamically registered instead by calls to +# either the addProvider or insertProviderAt method in the Security +# class. + +# +# List of providers and their preference orders (see above): +# +security.provider.1=SUN +security.provider.2=SunRsaSign +security.provider.3=SunEC +security.provider.4=SunJSSE +security.provider.5=SunJCE +security.provider.6=SunJGSS +security.provider.7=SunSASL +security.provider.8=XMLDSig +security.provider.9=SunPCSC +security.provider.10=JdkLDAP +security.provider.11=JdkSASL +security.provider.12=SunPKCS11 + +# +# A list of preferred providers for specific algorithms. These providers will +# be searched for matching algorithms before the list of registered providers. +# Entries containing errors (parsing, etc) will be ignored. Use the +# -Djava.security.debug=jca property to debug these errors. +# +# The property is a comma-separated list of serviceType.algorithm:provider +# entries. The serviceType (example: "MessageDigest") is optional, and if +# not specified, the algorithm applies to all service types that support it. +# The algorithm is the standard algorithm name or transformation. +# Transformations can be specified in their full standard name +# (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC). +# The provider is the name of the provider. Any provider that does not +# also appear in the registered list will be ignored. +# +# There is a special serviceType for this property only to group a set of +# algorithms together. The type is "Group" and is followed by an algorithm +# keyword. Groups are to simplify and lessen the entries on the property +# line. Current groups are: +# Group.SHA2 = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256 +# Group.HmacSHA2 = HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512 +# Group.SHA2RSA = SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA +# Group.SHA2DSA = SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA +# Group.SHA2ECDSA = SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, \ +# SHA512withECDSA +# Group.SHA3 = SHA3-224, SHA3-256, SHA3-384, SHA3-512 +# Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 +# +# Example: +# jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \ +# MessageDigest.SHA-256:SUN, Group.HmacSHA2:SunJCE +# +#jdk.security.provider.preferred= + + +# +# Sun Provider SecureRandom seed source. +# +# Select the primary source of seed data for the "NativePRNG", "SHA1PRNG" +# and "DRBG" SecureRandom implementations in the "Sun" provider. +# (Other SecureRandom implementations might also use this property.) +# +# On Unix-like systems (for example, Linux/MacOS), the +# "NativePRNG", "SHA1PRNG" and "DRBG" implementations obtains seed data from +# special device files such as file:/dev/random. +# +# On Windows systems, specifying the URLs "file:/dev/random" or +# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding +# mechanism for SHA1PRNG and DRBG. +# +# By default, an attempt is made to use the entropy gathering device +# specified by the "securerandom.source" Security property. If an +# exception occurs while accessing the specified URL: +# +# NativePRNG: +# a default value of /dev/random will be used. If neither +# are available, the implementation will be disabled. +# "file" is the only currently supported protocol type. +# +# SHA1PRNG and DRBG: +# the traditional system/thread activity algorithm will be used. +# +# The entropy gathering device can also be specified with the System +# property "java.security.egd". For example: +# +# % java -Djava.security.egd=file:/dev/random MainClass +# +# Specifying this System property will override the +# "securerandom.source" Security property. +# +# In addition, if "file:/dev/random" or "file:/dev/urandom" is +# specified, the "NativePRNG" implementation will be more preferred than +# DRBG and SHA1PRNG in the Sun provider. +# +securerandom.source=file:/dev/random + +# +# A list of known strong SecureRandom implementations. +# +# To help guide applications in selecting a suitable strong +# java.security.SecureRandom implementation, Java distributions should +# indicate a list of known strong implementations using the property. +# +# This is a comma-separated list of algorithm and/or algorithm:provider +# entries. +# +securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN + +# +# Sun provider DRBG configuration and default instantiation request. +# +# NIST SP 800-90Ar1 lists several DRBG mechanisms. Each can be configured +# with a DRBG algorithm name, and can be instantiated with a security strength, +# prediction resistance support, etc. This property defines the configuration +# and the default instantiation request of "DRBG" SecureRandom implementations +# in the SUN provider. (Other DRBG implementations can also use this property.) +# Applications can request different instantiation parameters like security +# strength, capability, personalization string using one of the +# getInstance(...,SecureRandomParameters,...) methods with a +# DrbgParameters.Instantiation argument, but other settings such as the +# mechanism and DRBG algorithm names are not currently configurable by any API. +# +# Please note that the SUN implementation of DRBG always supports reseeding. +# +# The value of this property is a comma-separated list of all configurable +# aspects. The aspects can appear in any order but the same aspect can only +# appear at most once. Its BNF-style definition is: +# +# Value: +# aspect { "," aspect } +# +# aspect: +# mech_name | algorithm_name | strength | capability | df +# +# // The DRBG mechanism to use. Default "Hash_DRBG" +# mech_name: +# "Hash_DRBG" | "HMAC_DRBG" | "CTR_DRBG" +# +# // The DRBG algorithm name. The "SHA-***" names are for Hash_DRBG and +# // HMAC_DRBG, default "SHA-256". The "AES-***" names are for CTR_DRBG, +# // default "AES-128" when using the limited cryptographic or "AES-256" +# // when using the unlimited. +# algorithm_name: +# "SHA-224" | "SHA-512/224" | "SHA-256" | +# "SHA-512/256" | "SHA-384" | "SHA-512" | +# "AES-128" | "AES-192" | "AES-256" +# +# // Security strength requested. Default "128" +# strength: +# "112" | "128" | "192" | "256" +# +# // Prediction resistance and reseeding request. Default "none" +# // "pr_and_reseed" - Both prediction resistance and reseeding +# // support requested +# // "reseed_only" - Only reseeding support requested +# // "none" - Neither prediction resistance not reseeding +# // support requested +# pr: +# "pr_and_reseed" | "reseed_only" | "none" +# +# // Whether a derivation function should be used. only applicable +# // to CTR_DRBG. Default "use_df" +# df: +# "use_df" | "no_df" +# +# Examples, +# securerandom.drbg.config=Hash_DRBG,SHA-224,112,none +# securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df +# +# The default value is an empty string, which is equivalent to +# securerandom.drbg.config=Hash_DRBG,SHA-256,128,none +# +securerandom.drbg.config= + +# +# Class to instantiate as the javax.security.auth.login.Configuration +# provider. +# +login.configuration.provider=sun.security.provider.ConfigFile + +# +# Default login configuration file +# +#login.config.url.1=file:${user.home}/.java.login.config + +# +# Class to instantiate as the system Policy. This is the name of the class +# that will be used as the Policy object. The system class loader is used to +# locate this class. +# +policy.provider=sun.security.provider.PolicyFile + +# The default is to have a single system-wide policy file, +# and a policy file in the user's home directory. +# +policy.url.1=file:${java.home}/conf/security/java.policy +policy.url.2=file:${user.home}/.java.policy + +# Controls whether or not properties are expanded in policy and login +# configuration files. If set to false, properties (${...}) will not +# be expanded in policy and login configuration files. If commented out or +# set to an empty string, the default value is "false" for policy files and +# "true" for login configuration files. +# +policy.expandProperties=true + +# Controls whether or not an extra policy or login configuration file is +# allowed to be passed on the command line with -Djava.security.policy=somefile +# or -Djava.security.auth.login.config=somefile. If commented out or set to +# an empty string, the default value is "false". +# +policy.allowSystemProperty=true + +# whether or not we look into the IdentityScope for trusted Identities +# when encountering a 1.1 signed JAR file. If the identity is found +# and is trusted, we grant it AllPermission. Note: the default policy +# provider (sun.security.provider.PolicyFile) does not support this property. +# +policy.ignoreIdentityScope=false + +# +# Default keystore type. +# +keystore.type=pkcs12 + +# +# Controls compatibility mode for JKS and PKCS12 keystore types. +# +# When set to 'true', both JKS and PKCS12 keystore types support loading +# keystore files in either JKS or PKCS12 format. When set to 'false' the +# JKS keystore type supports loading only JKS keystore files and the PKCS12 +# keystore type supports loading only PKCS12 keystore files. +# +keystore.type.compat=true + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when passed to the +# SecurityManager::checkPackageAccess method unless the corresponding +# RuntimePermission("accessClassInPackage."+package) has been granted. +# +package.access=sun.misc.,\ + sun.reflect.,\ + org.GNOME.Accessibility. + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when passed to the +# SecurityManager::checkPackageDefinition method unless the corresponding +# RuntimePermission("defineClassInPackage."+package) has been granted. +# +# By default, none of the class loaders supplied with the JDK call +# checkPackageDefinition. +# +package.definition=sun.misc.,\ + sun.reflect. + +# +# Determines whether this properties file can be appended to +# or overridden on the command line via -Djava.security.properties +# +security.overridePropertiesFile=true + +# +# Determines the default key and trust manager factory algorithms for +# the javax.net.ssl package. +# +ssl.KeyManagerFactory.algorithm=SunX509 +ssl.TrustManagerFactory.algorithm=PKIX + +# +# The Java-level namelookup cache policy for successful lookups: +# +# any negative value: caching forever +# any positive value: the number of seconds to cache an address for +# zero: do not cache +# +# default value is forever (FOREVER). For security reasons, this +# caching is made forever when a security manager is set. When a security +# manager is not set, the default behavior in this implementation +# is to cache for 30 seconds. +# +# NOTE: setting this to anything other than the default value can have +# serious security implications. Do not set it unless +# you are sure you are not exposed to DNS spoofing attack. +# +#networkaddress.cache.ttl=-1 + +# The Java-level namelookup cache policy for failed lookups: +# +# any negative value: cache forever +# any positive value: the number of seconds to cache negative lookup results +# zero: do not cache +# +# In some Microsoft Windows networking environments that employ +# the WINS name service in addition to DNS, name service lookups +# that fail may take a noticeably long time to return (approx. 5 seconds). +# For this reason the default caching policy is to maintain these +# results for 10 seconds. +# +networkaddress.cache.negative.ttl=10 + +# +# Properties to configure OCSP for certificate revocation checking +# + +# Enable OCSP +# +# By default, OCSP is not used for certificate revocation checking. +# This property enables the use of OCSP when set to the value "true". +# +# NOTE: SocketPermission is required to connect to an OCSP responder. +# +# Example, +# ocsp.enable=true + +# +# Location of the OCSP responder +# +# By default, the location of the OCSP responder is determined implicitly +# from the certificate being validated. This property explicitly specifies +# the location of the OCSP responder. The property is used when the +# Authority Information Access extension (defined in RFC 5280) is absent +# from the certificate or when it requires overriding. +# +# Example, +# ocsp.responderURL=http://ocsp.example.net:80 + +# +# Subject name of the OCSP responder's certificate +# +# By default, the certificate of the OCSP responder is that of the issuer +# of the certificate being validated. This property identifies the certificate +# of the OCSP responder when the default does not apply. Its value is a string +# distinguished name (defined in RFC 2253) which identifies a certificate in +# the set of certificates supplied during cert path validation. In cases where +# the subject name alone is not sufficient to uniquely identify the certificate +# then both the "ocsp.responderCertIssuerName" and +# "ocsp.responderCertSerialNumber" properties must be used instead. When this +# property is set then those two properties are ignored. +# +# Example, +# ocsp.responderCertSubjectName=CN=OCSP Responder, O=XYZ Corp + +# +# Issuer name of the OCSP responder's certificate +# +# By default, the certificate of the OCSP responder is that of the issuer +# of the certificate being validated. This property identifies the certificate +# of the OCSP responder when the default does not apply. Its value is a string +# distinguished name (defined in RFC 2253) which identifies a certificate in +# the set of certificates supplied during cert path validation. When this +# property is set then the "ocsp.responderCertSerialNumber" property must also +# be set. When the "ocsp.responderCertSubjectName" property is set then this +# property is ignored. +# +# Example, +# ocsp.responderCertIssuerName=CN=Enterprise CA, O=XYZ Corp + +# +# Serial number of the OCSP responder's certificate +# +# By default, the certificate of the OCSP responder is that of the issuer +# of the certificate being validated. This property identifies the certificate +# of the OCSP responder when the default does not apply. Its value is a string +# of hexadecimal digits (colon or space separators may be present) which +# identifies a certificate in the set of certificates supplied during cert path +# validation. When this property is set then the "ocsp.responderCertIssuerName" +# property must also be set. When the "ocsp.responderCertSubjectName" property +# is set then this property is ignored. +# +# Example, +# ocsp.responderCertSerialNumber=2A:FF:00 + +# +# Policy for failed Kerberos KDC lookups: +# +# When a KDC is unavailable (network error, service failure, etc), it is +# put inside a secondary list and accessed less often for future requests. The +# value (case-insensitive) for this policy can be: +# +# tryLast +# KDCs in the secondary list are always tried after those not on the list. +# +# tryLess[:max_retries,timeout] +# KDCs in the secondary list are still tried by their order in the +# configuration, but with smaller max_retries and timeout values. +# max_retries and timeout are optional numerical parameters (default 1 and +# 5000, which means once and 5 seconds). Please note that if any of the +# values defined here are more than what is defined in krb5.conf, it will be +# ignored. +# +# Whenever a KDC is detected as available, it is removed from the secondary +# list. The secondary list is reset when krb5.conf is reloaded. You can add +# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is +# reloaded whenever a JAAS authentication is attempted. +# +# Example, +# krb5.kdc.bad.policy = tryLast +# krb5.kdc.bad.policy = tryLess:2,2000 +# +krb5.kdc.bad.policy = tryLast + +# +# Kerberos cross-realm referrals (RFC 6806) +# +# OpenJDK's Kerberos client supports cross-realm referrals as defined in +# RFC 6806. This allows to setup more dynamic environments in which clients +# do not need to know in advance how to reach the realm of a target principal +# (either a user or service). +# +# When a client issues an AS or a TGS request, the "canonicalize" option +# is set to announce support of this feature. A KDC server may fulfill the +# request or reply referring the client to a different one. If referred, +# the client will issue a new request and the cycle repeats. +# +# In addition to referrals, the "canonicalize" option allows the KDC server +# to change the client name in response to an AS request. For security reasons, +# RFC 6806 (section 11) FAST scheme is enforced. +# +# Disable Kerberos cross-realm referrals. Value may be overwritten with a +# System property (-Dsun.security.krb5.disableReferrals). +sun.security.krb5.disableReferrals=false + +# Maximum number of AS or TGS referrals to avoid infinite loops. Value may +# be overwritten with a System property (-Dsun.security.krb5.maxReferrals). +sun.security.krb5.maxReferrals=5 + +# +# This property contains a list of disabled EC Named Curves that can be included +# in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this +# list in any of the disabledAlgorithms properties, add the property name as +# an entry. +#jdk.disabled.namedCurves= + +# +# Algorithm restrictions for certification path (CertPath) processing +# +# In some environments, certain algorithms or key lengths may be undesirable +# for certification path building and validation. For example, "MD2" is +# generally no longer considered to be a secure hash algorithm. This section +# describes the mechanism for disabling algorithms based on algorithm name +# and/or key length. This includes algorithms used in certificates, as well +# as revocation information such as CRLs and signed OCSP Responses. +# The syntax of the disabled algorithm string is described as follows: +# DisabledAlgorithms: +# " DisabledAlgorithm { , DisabledAlgorithm } " +# +# DisabledAlgorithm: +# AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty +# +# AlgorithmName: +# (see below) +# +# Constraint: +# KeySizeConstraint | CAConstraint | DenyAfterConstraint | +# UsageConstraint +# +# KeySizeConstraint: +# keySize Operator KeyLength +# +# Operator: +# <= | < | == | != | >= | > +# +# KeyLength: +# Integer value of the algorithm's key length in bits +# +# CAConstraint: +# jdkCA +# +# DenyAfterConstraint: +# denyAfter YYYY-MM-DD +# +# UsageConstraint: +# usage [TLSServer] [TLSClient] [SignedJAR] +# +# IncludeProperty: +# include +# +# The "AlgorithmName" is the standard algorithm name of the disabled +# algorithm. See the Java Security Standard Algorithm Names Specification +# for information about Standard Algorithm Names. Matching is +# performed using a case-insensitive sub-element matching rule. (For +# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and +# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a +# sub-element of the certificate algorithm name, the algorithm will be +# rejected during certification path building and validation. For example, +# the assertion algorithm name "DSA" will disable all certificate algorithms +# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion +# will not disable algorithms related to "ECDSA". +# +# The "IncludeProperty" allows a implementation-defined security property that +# can be included in the disabledAlgorithms properties. These properties are +# to help manage common actions easier across multiple disabledAlgorithm +# properties. +# There is one defined security property: jdk.disabled.NamedCurves +# See the property for more specific details. +# +# +# A "Constraint" defines restrictions on the keys and/or certificates for +# a specified AlgorithmName: +# +# KeySizeConstraint: +# keySize Operator KeyLength +# The constraint requires a key of a valid size range if the +# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates +# the key size specified in number of bits. For example, +# "RSA keySize <= 1024" indicates that any RSA key with key size less +# than or equal to 1024 bits should be disabled, and +# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key +# with key size less than 1024 or greater than 2048 should be disabled. +# This constraint is only used on algorithms that have a key size. +# +# CAConstraint: +# jdkCA +# This constraint prohibits the specified algorithm only if the +# algorithm is used in a certificate chain that terminates at a marked +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm +# are restricted. jdkCA may only be used once in a DisabledAlgorithm +# expression. +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" +# +# DenyAfterConstraint: +# denyAfter YYYY-MM-DD +# This constraint prohibits a certificate with the specified algorithm +# from being used after the date regardless of the certificate's +# validity. JAR files that are signed and timestamped before the +# constraint date with certificates containing the disabled algorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm +# expression. +# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, +# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" +# +# UsageConstraint: +# usage [TLSServer] [TLSClient] [SignedJAR] +# This constraint prohibits the specified algorithm for +# a specified usage. This should be used when disabling an algorithm +# for all usages is not practical. 'TLSServer' restricts the algorithm +# in TLS server certificate chains when server authentication is +# performed. 'TLSClient' restricts the algorithm in TLS client +# certificate chains when client authentication is performed. +# 'SignedJAR' constrains use of certificates in signed jar files. +# The usage type follows the keyword and more than one usage type can +# be specified with a whitespace delimiter. +# Example: "SHA1 usage TLSServer TLSClient" +# +# When an algorithm must satisfy more than one constraint, it must be +# delimited by an ampersand '&'. For example, to restrict certificates in a +# chain that terminate at a distribution provided trust anchor and contain +# RSA keys that are less than or equal to 1024 bits, add the following +# constraint: "RSA keySize <= 1024 & jdkCA". +# +# All DisabledAlgorithms expressions are processed in the order defined in the +# property. This requires lower keysize constraints to be specified +# before larger keysize constraints of the same algorithm. For example: +# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048". +# +# Note: The algorithm restrictions do not apply to trust anchors or +# self-signed certificates. +# +# Note: This property is currently used by Oracle's PKIX implementation. It +# is not guaranteed to be examined and used by other implementations. +# +# Example: +# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 +# +# +jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ + RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 + +# +# Legacy algorithms for certification path (CertPath) processing and +# signed JAR files. +# +# In some environments, a certain algorithm or key length may be undesirable +# but is not yet disabled. +# +# Tools such as keytool and jarsigner may emit warnings when these legacy +# algorithms are used. See the man pages for those tools for more information. +# +# The syntax is the same as the "jdk.certpath.disabledAlgorithms" and +# "jdk.jar.disabledAlgorithms" security properties. +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. + +jdk.security.legacyAlgorithms=SHA1, \ + RSA keySize < 2048, DSA keySize < 2048 + +# +# Algorithm restrictions for signed JAR files +# +# In some environments, certain algorithms or key lengths may be undesirable +# for signed JAR validation. For example, "MD2" is generally no longer +# considered to be a secure hash algorithm. This section describes the +# mechanism for disabling algorithms based on algorithm name and/or key length. +# JARs signed with any of the disabled algorithms or key sizes will be treated +# as unsigned. +# +# The syntax of the disabled algorithm string is described as follows: +# DisabledAlgorithms: +# " DisabledAlgorithm { , DisabledAlgorithm } " +# +# DisabledAlgorithm: +# AlgorithmName [Constraint] { '&' Constraint } +# +# AlgorithmName: +# (see below) +# +# Constraint: +# KeySizeConstraint | DenyAfterConstraint +# +# KeySizeConstraint: +# keySize Operator KeyLength +# +# DenyAfterConstraint: +# denyAfter YYYY-MM-DD +# +# Operator: +# <= | < | == | != | >= | > +# +# KeyLength: +# Integer value of the algorithm's key length in bits +# +# Note: This property is currently used by the JDK Reference +# implementation. It is not guaranteed to be examined and used by other +# implementations. +# +# See "jdk.certpath.disabledAlgorithms" for syntax descriptions. +# +jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ + DSA keySize < 1024 + +# +# Algorithm restrictions for Secure Socket Layer/Transport Layer Security +# (SSL/TLS/DTLS) processing +# +# In some environments, certain algorithms or key lengths may be undesirable +# when using SSL/TLS/DTLS. This section describes the mechanism for disabling +# algorithms during SSL/TLS/DTLS security parameters negotiation, including +# protocol version negotiation, cipher suites selection, named groups +# selection, signature schemes selection, peer authentication and key +# exchange mechanisms. +# +# Disabled algorithms will not be negotiated for SSL/TLS connections, even +# if they are enabled explicitly in an application. +# +# For PKI-based peer authentication and key exchange mechanisms, this list +# of disabled algorithms will also be checked during certification path +# building and validation, including algorithms used in certificates, as +# well as revocation information such as CRLs and signed OCSP Responses. +# This is in addition to the jdk.certpath.disabledAlgorithms property above. +# +# See the specification of "jdk.certpath.disabledAlgorithms" for the +# syntax of the disabled algorithm string. +# +# Note: The algorithm restrictions do not apply to trust anchors or +# self-signed certificates. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# Example: +# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \ +# rsa_pkcs1_sha1, secp224r1 +jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ + DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL + +# +# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) +# processing in JSSE implementation. +# +# In some environments, a certain algorithm may be undesirable but it +# cannot be disabled because of its use in legacy applications. Legacy +# algorithms may still be supported, but applications should not use them +# as the security strength of legacy algorithms are usually not strong enough +# in practice. +# +# During SSL/TLS security parameters negotiation, legacy algorithms will +# not be negotiated unless there are no other candidates. +# +# The syntax of the legacy algorithms string is described as this Java +# BNF-style: +# LegacyAlgorithms: +# " LegacyAlgorithm { , LegacyAlgorithm } " +# +# LegacyAlgorithm: +# AlgorithmName (standard JSSE algorithm name) +# +# See the specification of security property "jdk.certpath.disabledAlgorithms" +# for the syntax and description of the "AlgorithmName" notation. +# +# Per SSL/TLS specifications, cipher suites have the form: +# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# or +# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg +# +# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the +# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC +# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest +# algorithm for HMAC. +# +# The LegacyAlgorithm can be one of the following standard algorithm names: +# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA +# 2. JSSE key exchange algorithm name, e.g., RSA +# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC +# 4. JSSE message digest algorithm name, e.g., SHA +# +# See SSL/TLS specifications and the Java Security Standard Algorithm Names +# Specification for information about the algorithm names. +# +# Note: If a legacy algorithm is also restricted through the +# jdk.tls.disabledAlgorithms property or the +# java.security.AlgorithmConstraints API (See +# javax.net.ssl.SSLParameters.setAlgorithmConstraints()), +# then the algorithm is completely disabled and will not be negotiated. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# There is no guarantee the property will continue to exist or be of the +# same syntax in future releases. +# +# Example: +# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5 +# +jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC + +# +# The pre-defined default finite field Diffie-Hellman ephemeral (DHE) +# parameters for Transport Layer Security (SSL/TLS/DTLS) processing. +# +# In traditional SSL/TLS/DTLS connections where finite field DHE parameters +# negotiation mechanism is not used, the server offers the client group +# parameters, base generator g and prime modulus p, for DHE key exchange. +# It is recommended to use dynamic group parameters. This property defines +# a mechanism that allows you to specify custom group parameters. +# +# The syntax of this property string is described as this Java BNF-style: +# DefaultDHEParameters: +# DefinedDHEParameters { , DefinedDHEParameters } +# +# DefinedDHEParameters: +# "{" DHEPrimeModulus , DHEBaseGenerator "}" +# +# DHEPrimeModulus: +# HexadecimalDigits +# +# DHEBaseGenerator: +# HexadecimalDigits +# +# HexadecimalDigits: +# HexadecimalDigit { HexadecimalDigit } +# +# HexadecimalDigit: one of +# 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f +# +# Whitespace characters are ignored. +# +# The "DefinedDHEParameters" defines the custom group parameters, prime +# modulus p and base generator g, for a particular size of prime modulus p. +# The "DHEPrimeModulus" defines the hexadecimal prime modulus p, and the +# "DHEBaseGenerator" defines the hexadecimal base generator g of a group +# parameter. It is recommended to use safe primes for the custom group +# parameters. +# +# If this property is not defined or the value is empty, the underlying JSSE +# provider's default group parameter is used for each connection. +# +# If the property value does not follow the grammar, or a particular group +# parameter is not valid, the connection will fall back and use the +# underlying JSSE provider's default group parameter. +# +# Note: This property is currently used by OpenJDK's JSSE implementation. It +# is not guaranteed to be examined and used by other implementations. +# +# Example: +# jdk.tls.server.defaultDHEParameters= +# { \ +# FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \ +# 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \ +# EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \ +# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ +# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ +# FFFFFFFF FFFFFFFF, 2} + +# +# TLS key limits on symmetric cryptographic algorithms +# +# This security property sets limits on algorithms key usage in TLS 1.3. +# When the amount of data encrypted exceeds the algorithm value listed below, +# a KeyUpdate message will trigger a key change. This is for symmetric ciphers +# with TLS 1.3 only. +# +# The syntax for the property is described below: +# KeyLimits: +# " KeyLimit { , KeyLimit } " +# +# WeakKeyLimit: +# AlgorithmName Action Length +# +# AlgorithmName: +# A full algorithm transformation. +# +# Action: +# KeyUpdate +# +# Length: +# The amount of encrypted data in a session before the Action occurs +# This value may be an integer value in bytes, or as a power of two, 2^29. +# +# KeyUpdate: +# The TLS 1.3 KeyUpdate handshake process begins when the Length amount +# is fulfilled. +# +# Note: This property is currently used by OpenJDK's JSSE implementation. It +# is not guaranteed to be examined and used by other implementations. +# +jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37 + +# +# Cryptographic Jurisdiction Policy defaults +# +# Import and export control rules on cryptographic software vary from +# country to country. By default, Java provides two different sets of +# cryptographic policy files[1]: +# +# unlimited: These policy files contain no restrictions on cryptographic +# strengths or algorithms +# +# limited: These policy files contain more restricted cryptographic +# strengths +# +# The default setting is determined by the value of the "crypto.policy" +# Security property below. If your country or usage requires the +# traditional restrictive policy, the "limited" Java cryptographic +# policy is still available and may be appropriate for your environment. +# +# If you have restrictions that do not fit either use case mentioned +# above, Java provides the capability to customize these policy files. +# The "crypto.policy" security property points to a subdirectory +# within /conf/security/policy/ which can be customized. +# Please see the /conf/security/policy/README.txt file or consult +# the Java Security Guide/JCA documentation for more information. +# +# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY +# TO DETERMINE THE EXACT REQUIREMENTS. +# +# [1] Please note that the JCE for Java SE, including the JCE framework, +# cryptographic policy files, and standard JCE providers provided with +# the Java SE, have been reviewed and approved for export as mass market +# encryption item by the US Bureau of Industry and Security. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +crypto.policy=unlimited + +# +# The policy for the XML Signature secure validation mode. Validation of +# XML Signatures that violate any of these constraints will fail. The +# mode is enforced by default. The mode can be disabled by setting the +# property "org.jcp.xml.dsig.secureValidation" to Boolean.FALSE with the +# javax.xml.crypto.XMLCryptoContext.setProperty() method. +# +# Policy: +# Constraint {"," Constraint } +# Constraint: +# AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint | +# ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint +# AlgConstraint +# "disallowAlg" Uri +# MaxTransformsConstraint: +# "maxTransforms" Integer +# MaxReferencesConstraint: +# "maxReferences" Integer +# ReferenceUriSchemeConstraint: +# "disallowReferenceUriSchemes" String { String } +# KeySizeConstraint: +# "minKeySize" KeyAlg Integer +# OtherConstraint: +# "noDuplicateIds" | "noRetrievalMethodLoops" +# +# For AlgConstraint, Uri is the algorithm URI String that is not allowed. +# See the XML Signature Recommendation for more information on algorithm +# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm +# name of the key type (ex: "RSA"). If the MaxTransformsConstraint, +# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is +# specified more than once, only the last entry is enforced. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +jdk.xml.dsig.secureValidationPolicy=\ + disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ + disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ + disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ + disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ + disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\ + disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\ + disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\ + disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\ + disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\ + maxTransforms 5,\ + maxReferences 30,\ + disallowReferenceUriSchemes file http https,\ + minKeySize RSA 1024,\ + minKeySize DSA 1024,\ + minKeySize EC 224,\ + noDuplicateIds,\ + noRetrievalMethodLoops + + +# +# Deserialization JVM-wide filter factory +# +# A filter factory class name is used to configure the JVM-wide filter factory. +# The class must be public, must have a public zero-argument constructor, implement the +# java.util.function.BinaryOperator interface, provide its +# implementation and be accessible via the application class loader. +# A builtin filter factory is used if no filter factory is defined. +# See java.io.ObjectInputFilter.Config for more information. +# +# If the system property jdk.serialFilterFactory is also specified, it supersedes +# the security property value defined here. +# +#jdk.serialFilterFactory= + +# +# Deserialization JVM-wide filter +# +# A filter, if configured, is used by the filter factory to provide the filter used by +# java.io.ObjectInputStream during deserialization to check the contents of the stream. +# A filter is configured as a sequence of patterns, each pattern is either +# matched against the name of a class in the stream or defines a limit. +# Patterns are separated by ";" (semicolon). +# Whitespace is significant and is considered part of the pattern. +# +# If the system property jdk.serialFilter is also specified, it supersedes +# the security property value defined here. +# +# If a pattern includes a "=", it sets a limit. +# If a limit appears more than once the last value is used. +# Limits are checked before classes regardless of the order in the +# sequence of patterns. +# If any of the limits are exceeded, the filter status is REJECTED. +# +# maxdepth=value - the maximum depth of a graph +# maxrefs=value - the maximum number of internal references +# maxbytes=value - the maximum number of bytes in the input stream +# maxarray=value - the maximum array length allowed +# +# Other patterns, from left to right, match the class or package name as +# returned from Class.getName. +# If the class is an array type, the class or package to be matched is the +# element type. +# Arrays of any number of dimensions are treated the same as the element type. +# For example, a pattern of "!example.Foo", rejects creation of any instance or +# array of example.Foo. +# +# If the pattern starts with "!", the status is REJECTED if the remaining +# pattern is matched; otherwise the status is ALLOWED if the pattern matches. +# If the pattern contains "/", the non-empty prefix up to the "/" is the +# module name; +# if the module name matches the module name of the class then +# the remaining pattern is matched with the class name. +# If there is no "/", the module name is not compared. +# If the pattern ends with ".**" it matches any class in the package and all +# subpackages. +# If the pattern ends with ".*" it matches any class in the package. +# If the pattern ends with "*", it matches any class with the pattern as a +# prefix. +# If the pattern is equal to the class name, it matches. +# Otherwise, the status is UNDECIDED. +# +#jdk.serialFilter=pattern;pattern + +# +# RMI Registry Serial Filter +# +# The filter pattern uses the same format as jdk.serialFilter. +# This filter can override the builtin filter if additional types need to be +# allowed or rejected from the RMI Registry or to decrease limits but not +# to increase limits. +# If the limits (maxdepth, maxrefs, or maxbytes) are exceeded, the object is rejected. +# +# Each non-array type is allowed or rejected if it matches one of the patterns, +# evaluated from left to right, and is otherwise allowed. Arrays of any +# component type, including subarrays and arrays of primitives, are allowed. +# +# Array construction of any component type, including subarrays and arrays of +# primitives, are allowed unless the length is greater than the maxarray limit. +# The filter is applied to each array element. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# The built-in filter allows subclasses of allowed classes and +# can approximately be represented as the pattern: +# +#sun.rmi.registry.registryFilter=\ +# maxarray=1000000;\ +# maxdepth=20;\ +# java.lang.String;\ +# java.lang.Number;\ +# java.lang.reflect.Proxy;\ +# java.rmi.Remote;\ +# sun.rmi.server.UnicastRef;\ +# sun.rmi.server.RMIClientSocketFactory;\ +# sun.rmi.server.RMIServerSocketFactory;\ +# java.rmi.server.UID +# +# RMI Distributed Garbage Collector (DGC) Serial Filter +# +# The filter pattern uses the same format as jdk.serialFilter. +# This filter can override the builtin filter if additional types need to be +# allowed or rejected from the RMI DGC. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# The builtin DGC filter can approximately be represented as the filter pattern: +# +#sun.rmi.transport.dgcFilter=\ +# java.rmi.server.ObjID;\ +# java.rmi.server.UID;\ +# java.rmi.dgc.VMID;\ +# java.rmi.dgc.Lease;\ +# maxdepth=5;maxarray=10000 + +# +# JCEKS Encrypted Key Serial Filter +# +# This filter, if configured, is used by the JCEKS KeyStore during the +# deserialization of the encrypted Key object stored inside a key entry. +# If not configured or the filter result is UNDECIDED (i.e. none of the patterns +# matches), the filter configured by jdk.serialFilter will be consulted. +# +# If the system property jceks.key.serialFilter is also specified, it supersedes +# the security property value defined here. +# +# The filter pattern uses the same format as jdk.serialFilter. The default +# pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type, +# and javax.crypto.spec.SecretKeySpec and rejects all the others. +jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\ + java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!* + +# The iteration count used for password-based encryption (PBE) in JCEKS +# keystores. Values in the range 10000 to 5000000 are considered valid. +# If the value is out of this range, or is not a number, or is unspecified; +# a default of 200000 is used. +# +# If the system property jdk.jceks.iterationCount is also specified, it +# supersedes the security property value defined here. +# +#jdk.jceks.iterationCount = 200000 + +# +# PKCS12 KeyStore properties +# +# The following properties, if configured, are used by the PKCS12 KeyStore +# implementation during the creation of a new keystore. Several of the +# properties may also be used when modifying an existing keystore. The +# properties can be overridden by a KeyStore API that specifies its own +# algorithms and parameters. +# +# If an existing PKCS12 keystore is loaded and then stored, the algorithm and +# parameter used to generate the existing Mac will be reused. If the existing +# keystore does not have a Mac, no Mac will be created while storing. If there +# is at least one certificate in the existing keystore, the algorithm and +# parameters used to encrypt the last certificate in the existing keystore will +# be reused to encrypt all certificates while storing. If the last certificate +# in the existing keystore is not encrypted, all certificates will be stored +# unencrypted. If there is no certificate in the existing keystore, any newly +# added certificate will be encrypted (or stored unencrypted if algorithm +# value is "NONE") using the "keystore.pkcs12.certProtectionAlgorithm" and +# "keystore.pkcs12.certPbeIterationCount" values defined here. Existing private +# and secret key(s) are not changed. Newly set private and secret key(s) will +# be encrypted using the "keystore.pkcs12.keyProtectionAlgorithm" and +# "keystore.pkcs12.keyPbeIterationCount" values defined here. +# +# In order to apply new algorithms and parameters to all entries in an +# existing keystore, one can create a new keystore and add entries in the +# existing keystore into the new keystore. This can be achieved by calling the +# "keytool -importkeystore" command. +# +# If a system property of the same name is also specified, it supersedes the +# security property value defined here. +# +# If the property is set to an illegal value, +# an iteration count that is not a positive integer, or an unknown algorithm +# name, an exception will be thrown when the property is used. +# If the property is not set or empty, a default value will be used. +# +# Note: These properties are currently used by the JDK Reference implementation. +# They are not guaranteed to be examined and used by other implementations. + +# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE +# algorithm defined in the Cipher section of the Java Security Standard +# Algorithm Names Specification. When set to "NONE", the certificate +# is not encrypted. The default value is "PBEWithHmacSHA256AndAES_256". +#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256 + +# The iteration count used by the PBE algorithm when encrypting a certificate. +# This value must be a positive integer. The default value is 10000. +#keystore.pkcs12.certPbeIterationCount = 10000 + +# The algorithm used to encrypt a private key or secret key. This can be +# any non-Hmac PBE algorithm defined in the Cipher section of the Java +# Security Standard Algorithm Names Specification. The value must not be "NONE". +# The default value is "PBEWithHmacSHA256AndAES_256". +#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256 + +# The iteration count used by the PBE algorithm when encrypting a private key +# or a secret key. This value must be a positive integer. The default value +# is 10000. +#keystore.pkcs12.keyPbeIterationCount = 10000 + +# The algorithm used to calculate the optional MacData at the end of a PKCS12 +# file. This can be any HmacPBE algorithm defined in the Mac section of the +# Java Security Standard Algorithm Names Specification. When set to "NONE", +# no Mac is generated. The default value is "HmacPBESHA256". +#keystore.pkcs12.macAlgorithm = HmacPBESHA256 + +# The iteration count used by the MacData algorithm. This value must be a +# positive integer. The default value is 10000. +#keystore.pkcs12.macIterationCount = 10000 + +# +# Enhanced exception message information +# +# By default, exception messages should not include potentially sensitive +# information such as file names, host names, or port numbers. This property +# accepts one or more comma separated values, each of which represents a +# category of enhanced exception message information to enable. Values are +# case-insensitive. Leading and trailing whitespaces, surrounding each value, +# are ignored. Unknown values are ignored. +# +# NOTE: Use caution before setting this property. Setting this property +# exposes sensitive information in Exceptions, which could, for example, +# propagate to untrusted code or be emitted in stack traces that are +# inadvertently disclosed and made accessible over a public network. +# +# The categories are: +# +# hostInfo - IOExceptions thrown by java.net.Socket and the socket types in the +# java.nio.channels package will contain enhanced exception +# message information +# +# jar - enables more detailed information in the IOExceptions thrown +# by classes in the java.util.jar package +# +# The property setting in this file can be overridden by a system property of +# the same name, with the same syntax and possible values. +# +#jdk.includeInExceptions=hostInfo,jar + +# +# Disabled mechanisms for the Simple Authentication and Security Layer (SASL) +# +# Disabled mechanisms will not be negotiated by both SASL clients and servers. +# These mechanisms will be ignored if they are specified in the "mechanisms" +# argument of "Sasl.createSaslClient" or the "mechanism" argument of +# "Sasl.createSaslServer". +# +# The value of this property is a comma-separated list of SASL mechanisms. +# The mechanisms are case-sensitive. Whitespaces around the commas are ignored. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# Example: +# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5 +jdk.sasl.disabledMechanisms= + +# +# Policies for distrusting Certificate Authorities (CAs). +# +# This is a comma separated value of one or more case-sensitive strings, each +# of which represents a policy for determining if a CA should be distrusted. +# The supported values are: +# +# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec +# root CA and issued after April 16, 2019 unless issued by one of the +# following subordinate CAs which have a later distrust date: +# 1. Apple IST CA 2 - G1, SHA-256 fingerprint: +# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B +# Distrust after December 31, 2019. +# 2. Apple IST CA 8 - G1, SHA-256 fingerprint: +# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED +# Distrust after December 31, 2019. +# +# Leading and trailing whitespace surrounding each value are ignored. +# Unknown values are ignored. If the property is commented out or set to the +# empty String, no policies are enforced. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be supported by other SE implementations. Also, this +# property does not override other security properties which can restrict +# certificates such as jdk.tls.disabledAlgorithms or +# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even +# if this property is not enabled. +# +jdk.security.caDistrustPolicies=SYMANTEC_TLS + +# +# FilePermission path canonicalization +# +# This security property dictates how the path argument is processed and stored +# while constructing a FilePermission object. If the value is set to true, the +# path argument is canonicalized and FilePermission methods (such as implies, +# equals, and hashCode) are implemented based on this canonicalized result. +# Otherwise, the path argument is not canonicalized and FilePermission methods are +# implemented based on the original input. See the implementation note of the +# FilePermission class for more details. +# +# If a system property of the same name is also specified, it supersedes the +# security property value defined here. +# +# The default value for this property is false. +# +jdk.io.permissionsUseCanonicalPath=false + + +# +# Policies for the proxy_impersonator Kerberos ccache configuration entry +# +# The proxy_impersonator ccache configuration entry indicates that the ccache +# is a synthetic delegated credential for use with S4U2Proxy by an intermediate +# server. The ccache file should also contain the TGT of this server and +# an evidence ticket from the default principal of the ccache to this server. +# +# This security property determines how Java uses this configuration entry. +# There are 3 possible values: +# +# no-impersonate - Ignore this configuration entry, and always act as +# the owner of the TGT (if it exists). +# +# try-impersonate - Try impersonation when this configuration entry exists. +# If no matching TGT or evidence ticket is found, +# fallback to no-impersonate. +# +# always-impersonate - Always impersonate when this configuration entry exists. +# If no matching TGT or evidence ticket is found, +# no initial credential is read from the ccache. +# +# The default value is "always-impersonate". +# +# If a system property of the same name is also specified, it supersedes the +# security property value defined here. +# +#jdk.security.krb5.default.initiate.credential=always-impersonate + +# +# Trust Anchor Certificates - CA Basic Constraint check +# +# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS +# connections) must have the cA Basic Constraint field set to 'true'. Also, if +# they include a Key Usage extension, the keyCertSign bit must be set. These +# checks, enabled by default, can be disabled for backward-compatibility +# purposes with the jdk.security.allowNonCaAnchor System and Security +# properties. In the case that both properties are simultaneously set, the +# System value prevails. The default value of the property is "false". +# +#jdk.security.allowNonCaAnchor=true + +# +# The default Character set name (java.nio.charset.Charset.forName()) +# for converting TLS ALPN values between byte arrays and Strings. +# Prior versions of the JDK may use UTF-8 as the default charset. If +# you experience interoperability issues, setting this property to UTF-8 +# may help. +# +# jdk.tls.alpnCharset=UTF-8 +jdk.tls.alpnCharset=ISO_8859_1 + +# +# JNDI Object Factories Filter +# +# This filter is used by the JNDI runtime to control the set of object factory classes +# which will be allowed to instantiate objects from object references returned by +# naming/directory systems. The factory class named by the reference instance will be +# matched against this filter. The filter property supports pattern-based filter syntax +# with the same format as jdk.serialFilter. +# +# Each pattern is matched against the factory class name to allow or disallow it's +# instantiation. The access to a factory class is allowed unless the filter returns +# REJECTED. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes +# the security property value defined here. The default value of the property is "*". +# +# The default pattern value allows any object factory class specified by the reference +# instance to recreate the referenced object. +#jdk.jndi.object.factoriesFilter=* diff --git a/java-17-openjdk/security/nss.cfg b/java-17-openjdk/security/nss.cfg new file mode 100644 index 00000000..3535a400 --- /dev/null +++ b/java-17-openjdk/security/nss.cfg @@ -0,0 +1,4 @@ +name = NSS +nssDbMode = noDb +attributes = compatibility +handleStartupErrors = ignoreMultipleInitialisation diff --git a/java-17-openjdk/security/policy/README.txt b/java-17-openjdk/security/policy/README.txt new file mode 100644 index 00000000..fdf77d3e --- /dev/null +++ b/java-17-openjdk/security/policy/README.txt @@ -0,0 +1,54 @@ + + Java(TM) Cryptography Extension Policy Files + for the Java(TM) Platform, Standard Edition Runtime Environment + + README +------------------------------------------------------------------------ + +Import and export control rules on cryptographic software vary from +country to country. The Java Cryptography Extension (JCE) architecture +allows flexible cryptographic key strength to be configured via the +jurisdiction policy files which are referenced by the "crypto.policy" +security property in the /conf/security/java.security file. + +By default, Java provides two different sets of cryptographic policy +files: + + unlimited: These policy files contain no restrictions on cryptographic + strengths or algorithms + + limited: These policy files contain more restricted cryptographic + strengths + +These files reside in /conf/security/policy in the "unlimited" +or "limited" subdirectories respectively. + +Each subdirectory contains a complete policy configuration, +and subdirectories can be added/edited/removed to reflect your +import or export control product requirements. + +Within a subdirectory, the effective policy is the combined minimum +permissions of the grant statements in the file(s) matching the filename +pattern "default_*.policy". At least one grant is required. For example: + + limited = Export (all) + Import (limited) = Limited + unlimited = Export (all) + Import (all) = Unlimited + +The effective exemption policy is the combined minimum permissions +of the grant statements in the file(s) matching the filename pattern +"exempt_*.policy". Exemption grants are optional. For example: + + limited = grants exemption permissions, by which the + effective policy can be circumvented. + e.g. KeyRecovery/KeyEscrow/KeyWeakening. + +Please see the Java Cryptography Architecture (JCA) documentation for +additional information on these files and formats. + +YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY +TO DETERMINE THE EXACT REQUIREMENTS. + +Please note that the JCE for Java SE, including the JCE framework, +cryptographic policy files, and standard JCE providers provided with +the Java SE, have been reviewed and approved for export as mass market +encryption item by the US Bureau of Industry and Security. diff --git a/java-17-openjdk/security/policy/limited/default_US_export.policy b/java-17-openjdk/security/policy/limited/default_US_export.policy new file mode 100644 index 00000000..1f389340 --- /dev/null +++ b/java-17-openjdk/security/policy/limited/default_US_export.policy @@ -0,0 +1,6 @@ +// Default US Export policy file. + +grant { + // There is no restriction to any algorithms. + permission javax.crypto.CryptoAllPermission; +}; diff --git a/java-17-openjdk/security/policy/limited/default_local.policy b/java-17-openjdk/security/policy/limited/default_local.policy new file mode 100644 index 00000000..2a6d5134 --- /dev/null +++ b/java-17-openjdk/security/policy/limited/default_local.policy @@ -0,0 +1,14 @@ +// Some countries have import limits on crypto strength. This policy file +// is worldwide importable. + +grant { + permission javax.crypto.CryptoPermission "DES", 64; + permission javax.crypto.CryptoPermission "DESede", *; + permission javax.crypto.CryptoPermission "RC2", 128, + "javax.crypto.spec.RC2ParameterSpec", 128; + permission javax.crypto.CryptoPermission "RC4", 128; + permission javax.crypto.CryptoPermission "RC5", 128, + "javax.crypto.spec.RC5ParameterSpec", *, 12, *; + permission javax.crypto.CryptoPermission "RSA", *; + permission javax.crypto.CryptoPermission *, 128; +}; diff --git a/java-17-openjdk/security/policy/limited/exempt_local.policy b/java-17-openjdk/security/policy/limited/exempt_local.policy new file mode 100644 index 00000000..9dd5b91b --- /dev/null +++ b/java-17-openjdk/security/policy/limited/exempt_local.policy @@ -0,0 +1,13 @@ +// Some countries have import limits on crypto strength, but may allow for +// these exemptions if the exemption mechanism is used. + +grant { + // There is no restriction to any algorithms if KeyRecovery is enforced. + permission javax.crypto.CryptoPermission *, "KeyRecovery"; + + // There is no restriction to any algorithms if KeyEscrow is enforced. + permission javax.crypto.CryptoPermission *, "KeyEscrow"; + + // There is no restriction to any algorithms if KeyWeakening is enforced. + permission javax.crypto.CryptoPermission *, "KeyWeakening"; +}; diff --git a/java-17-openjdk/security/policy/unlimited/default_US_export.policy b/java-17-openjdk/security/policy/unlimited/default_US_export.policy new file mode 100644 index 00000000..1f389340 --- /dev/null +++ b/java-17-openjdk/security/policy/unlimited/default_US_export.policy @@ -0,0 +1,6 @@ +// Default US Export policy file. + +grant { + // There is no restriction to any algorithms. + permission javax.crypto.CryptoAllPermission; +}; diff --git a/java-17-openjdk/security/policy/unlimited/default_local.policy b/java-17-openjdk/security/policy/unlimited/default_local.policy new file mode 100644 index 00000000..2b907e25 --- /dev/null +++ b/java-17-openjdk/security/policy/unlimited/default_local.policy @@ -0,0 +1,6 @@ +// Country-specific policy file for countries with no limits on crypto strength. + +grant { + // There is no restriction to any algorithms. + permission javax.crypto.CryptoAllPermission; +}; diff --git a/java-17-openjdk/security/public_suffix_list.dat b/java-17-openjdk/security/public_suffix_list.dat new file mode 100644 index 0000000000000000000000000000000000000000..029aa3c58da4345799290f0bba24883f309f9bc9 GIT binary patch literal 232578 zcma$(c{o(x`wFSFN~;zv!k97ION*2=JEFbBFqkaEj3rt>mi9#=Ds75VXxFOJYQ~tc zw6BzscBE+ioqOh9?(O@_na}ggAD^Dbd*Ac!+j);OS69zir)}G|IyyQ7!LRv0U7dD1 zo}QjF-Sl-@VgKsI;_)h5>o{`_+9rnWi8lcMqz``1{{)~10Z4<%5a_gW4Tz6ZlR9DF zY||o$HW&z@r!>@$41`0c$#F233r>c&2Ouy||HcF!MJS}ec%i|gQ%e1L^iec;2qmGR z6c`GoWrYSzh)0hwG#)sZaIuI2hE~XXr2#YB-*f;PjOI9A6d12H0Gu*E?n563az+?H z!9u~taR`cKOhj|W0CGm+>**~aoKtxI`wHeK!PrY1ble+Co5K-hQ4!F&Pq# zFK6)-xWHW(wjI;~fWc_F z5<8`}!i2f?rp0Xr1GpnwgbmN@<>@U7j3i?z;IWIcD}_oYZXr*_Q_TL7`z%3Nr+PA}dP<2j@t9_xz}i01!sZf1kd+2ACu)DAY5EBBufs zv&f3Aw8CX|S7F(#P5=}}(0_w7q=1uA4voXJ#D&gk;r^qY0Wb{5e*=V4>qU_k6)q{E z8+UX>ORYY{C{!XP<65~ky7wS25lu7DIGAn zv`ibQKi*VPWAkuo_Q#@ub#weNsVU7 z>sM&sNvBH(y~#QKUpkGPVU%V1jQO-I^;Wu3s%f873)W|UVWqRzz9=cVP%T@tN58+_ zFlA?qY7D>P9+>(#wMcq+WRWkK_Iz9bR8d9w=p#e2i=@pWByy|R`O>uQljq;8^CAXu zI?NtC_fF_irF@@$dRp1D$V_2Du5cHW`h4QTyXc<-jFxuN1!d zl$M@f5&z?bhw-zL;L@jeb=Y0zJdWMbUJ!cx+>`9^aa*OUjTX3+b$U0!{oS*z^UF(P zPl>*!FUtLx_af))umx5I7vet#dPT{t8<^~n?HMd z#{6=gGsf13_2@m%Tr`&1Q}&&9ySu(QqvM@DCLP>At-5$?+V-n?dVN@*Yup{P65roQ ziSByiK~jG4G&AGf;w62o#j4LH9js}&938jR_YDuLKR0k2lSkSv%Y1pHx6jSBFOuer zNH5CG>9=XR!r1)f4fFMOBiEhW93@cZaAHQs-0z+S8jb4yws`00Iv#2r~Yy&d?@^LW3w_3PaAt{YLtZVWYIv0w1zm zz7(?5%re~)dEF0)st+ zDDH!+EK+9jRB8rGd6aN<%Y=qTK##hhb;&1yjB_Dw-WT*+X^Pe*7>f8v#a*2P^x4V_CI$H0Wu4J^lSW zgUH8oQmR#b|j%a%iHg6c#vf3F%;- z(c@M1Opo!qRa!g4W;Y=ncX^TNXz73^QB0PvTwG!bR*ZPMDZ4TiP((HkSX6hS+2I`Zv?VL;;9ElNEM1p|CMrIJ7qg_~?HU7_X| z;Vk9kKIniB1)&NBh=m|^BB_v4&g1Ynxa^1B$+p%~g#yIEo@5nL%IT~uLWTV5_o6wW zIb48`ILI?7ih>clP{~yu#Ur@P#)jqS!$Cm{2#|$(hEfDgZfVV?6G=>TNN)vN(4d3_ z1W*r`i62cTCvH4iLZGY$$ULb+ZzyHKl z<&^^B6_D5aG0x|0Y|oBlc2}ynj8yprN0t1ym zfD;7P^LlVa;Z6*aSxJ6zlJx zl@S69@(hR!6?;*5$W><2rLrx-Qis51L&+o>^5) zX7mu7q`9rrpc1+at2x^b2)K2NLJrZAP`r{FCr{bX93~nqSSbhwRkc7+c_4F*&H|M+ zJ}5olO4n^?tp&PL0PzVXm-*-x zEgMlM9bPwM;FC*t5>l0?Ic*OO8D&1ovYT)aq{Qw|_a{yUR1mgE38)Xj!IVN4-J*bS z0*ehUhN1NVGAV?lmUP@Uq&?qv87oifwTJ`M03d2oQ2-SWI-kxdk`uUy*0~%+YXHQB zT;HI-pu`(??KsK*RVy!nXk*t7-TmARBer$RS6*^k>$bwhHpSYK(YjRzG$s?i=C!LP+*KockRB-cpk93JkNMfb94XcGsWgVZySQsbd>lzgJh^DJky z69*hxNkW?lP;*rpfJ$NBoMKy2j^i+4*m$ z#kPKvI`nbVjlcR#KT$t!_oLS@4{leCGHIJ0aq73_M!UuSo7;Px9^Y-`_p@8MiRV2Q z9Nsm5)9h|nKHS{KSU1Q1Q-kq}9y1&pS4=3fW~YR7-!ridBQtKWsolJ#P^GVCkAJ-! z5CCh;{JS;+-D#*_fGCtgRCxiLL9k}i;Bh<9?i5Dcp`h>@BqE2(bW1r?!6lUHyltr% z9dScShBX=6nep~UF@TaEa@SM{ENR21Zp*b#sjfC$=W-!xk@APV`GZf}4jp=T!_2U{ zTWsMaL*4EJZQ8%gx|)>w{oIj;yW@^cESQp+2ql&$t;h?_hAXhK;2L@dBeOy#gt%}&bO8;iD-DyyCDzIKkKK> zKr0VqH2^{F>CpLdUQ=6Vy59?bG%nEi0zl-T1%OfF>E|h--X65^)nFqFmdKiQ#*0N~ zSQjv@ar4&mc-tH_HqfJlh5AuS{&a@CfT;ODd%0^7+M{R)97;J8gXmJVuNl`1O<)aO zLM0Si!jLoZKG#Jso{Z+RhpH2=dg+VljOKk`3O`NN* zX#<)LTN*tcD7^^${%upC97IvOby>8gPF;*=V1Kk6V1%PoW;h_K_^VIp^Z!?spbsnw zzB7yg(8Qv;f1`>?J*WVYEjEXD1gEgUz>-+)q+aML_HH)VUM!B1XNd=UJqb$TN!|}s*^=J^7E`TuyG6Xsv zd%xLr<0V=buq*@s@Dc?`D7_F4og*lctBHO{&1zvUbQXfOelcJHo{?UjQVMB6AkNO> z3FsW0LcgBI?nAeJu>b-GNVYcsIRK50Q)=$?@LuQu0tY4Xkx0nS1%Togs+l-eWzk1Q zXbsBOQylacR!&N#6^>Qqf+L5t1tk*+Jp;&jIfpLbbChx%tHc%0VP6?@SpQaAEOZrm z%KSy4{{u`VV6dCPwNHDYMd+&0zA!&eN_n3{F9QA;KjN@#dol&=; zG(R+iy~2f-GPCupc2K#$Sbgq*b)09mNK2?zLW-H-;D_GdX8uXET4?}K1dT}0#za3j ziv|E~gD{-z+9PO&U`14j{fc%e2hwNH zNKBc%U|ymwZUoP@{bYs}#YVTtZp=9gMV^$B7KcwKs##@y%=6Ih3d*_2Gc1(iIQeu2 z(H9ur=#q$*bI5p+h+@+D4E#9#BinvJQw^#vsL%yavMx@Mm7Gl^UC$B*p43uxMbZE< zMFtoOIZ+P1dT#j^ZI48W=|O!SH*WJrbQIR zWZ;;bOib27v!O_md;T1}=dTH&3z)M9qeEy2q**h~lx(B?$vTru9@uUi-uX7$q))qk z)m>8EUp>5ZfRpJQM z`SJv-obwgiFXp=(c2)A<{&vZI*kFK7M3@hG8#f;)KwXPU0C6IZODf9A!6nhI#%yet zj?k9s?rm2$0KlZT2p8&wA1E4=^Hc>^Fvdely{nJ@poIvcM*)GwzF3FK!**1Pe|+5E@zpQRV>v3}PVQ^PvL|w50_(TUHSH zKQH5=5t#YsRZohnsLL&Qd ztO6Fpf+o65nFl1~c#Bd3i|`@k13bORS%8AgQ{mx8r+ z<77oCshu@V$Z37Yj>9IGMzkpJFii;x23JxTAf4>ly6)CFl0|M7KBZo2jT7lvtgs z>uNl1x#jHiHcNjO^h`STrYLbsRKt=Tg9d*}rN`8z7KCSwaol2jJg3}W?PD)?-F3Hk z`{B=Lj>)EtKQr@{{igKy-*;Y6ZEmP56}$Voq~{l1I&S~Agvp4ibuiSF3URe)`NHV>AvhqL)bg0b|IfSglqy`T50@ zB8t)BuSQN}UX(bGDNx}B*mf@;Xq)MP8oiiuBqr!z;D;JKZov<9L4ZzzSyVS4UCzUnGH_ybfeZ;-E&Ogq!NuIfN`R8+olb#ve{M|H%VW=r*E)DrxQv)_@9l-h*RI?2z8ClMNw&Pw#W;(8X>Y zACF}?e>IMuD_p{xcJ0fWPP_}_%L4ZIJw8U(c}8)von&s+VE>p`o1bi$K4{wbi)$Aj z$e8L}&9Ys7#&k)x%e#!BMVW)#^FBWRUJ}18{=V*(DiQ6|Ime0*YcyTOg?yo${?hwmBNX8DU=U)ITUH`y=p%LV^7>r}s(%f)Hne=Q7e z?_>T&!ymPu2VhCz&`e?U?AAIuJ%LdEyQm0tLkey$$tc4aG!Bo=5D?=TmG)=%qjdv@ zlps9y6=5n*4!md}Jau9Kz31Zb*XSYR`k+Hf4Q>)o?+8l7OH(-UES-pO*DZ8DyqAO7 zk$)c(nj)#hpW^js3blanc+S(jm!eG(G}BT^sNY|3m~s{Y=umdTS+tqf94$;H69te% zBpQgj1w}+z%H(1PEld)$C=?*X-8R_l!tN*#rPD4&bM~~?#B!m2Te8uy9E44_ytMzF za>nk>HAld+ORRsRBVc&^FmKObASxt(N8_{Utfs=z$<43w(NYIl66Wg}N-00k_#ieS z>JPk^OHw0HeNg`FT2?p9bst>27rj96qW!uYz7VYp8bb8-9{fw z14?fc<$jC|=Aq?vtO9KM6}wjWZxw*9i&9-{s;q5c4=_QyE*NTs zMKx#dUMyPn5xj7DWAaHMI?RFc6i((iUT&W7?NA-MF%18loc7SL?)H6M7i@0152Qs# zr|gqhUk{rI{x>ZkAabGc2&gr|dp+lOjPtM^XV;Tgb?85fTL)8ret8l7(`e%1v0m`9;(E#|C2cqF8$h0~_=|TUcmPu_hYE2cr>uC8S;Wv2S3x-*NZ%l3R7?7n= z{lySH7uJ%J55BmLzeQc7E^DK1d#&#on z)#kj^eNa!c+mO)R#rjp71(P?G7k7U++0}^it~zn`NZY8Y22+E3zORQQ4GT1M^8Zi` zFKpduc&Ty)2icE2j2C6hP(Vx>KKXc|EBY{)e0q8MkR6YJ*W_`2spp{O6CS4S*7dQbmzoKxY%;IO1&NX0%Vk z5`G*IH6jy0Sj_?1%*y8<&7An1|FjB{8~O0Esz@3kW$-u07z3qucXg! zQ?zQ}bOB)gIuO4pXb64qY$BTB_>rhkh`574b;%<1ku)G=6kVqaDuwi-JB3^x?JhoU zd-wE17xcI-4vb=x=|uA*J9W?$G(H*<%S2*|uG0lYO5Aijv&lS&CNYi)6$oJ_%3o~! zrZpzwAabopKvyXX@#5={&LLW0qR}F9+$*5tPR4NlAT8D%V3DC07+=Q9c%)cLKxZ?W z+d^AknO7FeLaIK~2z?HnJJSWtVhs)y^&zw;NoF<~eFzv)HP4lpDHmc9m9EF~dh4h| zKD;3nzMfOBf9Ux6-ZB1#uKmW}EM0KVzw)u3Ll(FHI;U6PrMm?S_XtIsINb*g{9*aS zXv%^C1#LcTtuWd08g_aI9GkJ12f`?y7DFkB1UZipfV8c7a(|V@gS!|%vERRAWJn4T zc_2r?$Af(x$5UFAMWNz?DFsTd4Az%4HI^zdz z4t*L8019)7a`*E^$EKhGz_U>725!AfE??TOT@FSGyHwytmo**4T%+#mp1?0TbFZeR zDlffP+(V1vD(E)KV`IBuH?t|N!WFG zSL)mu?Otelt50@+>hA`q8Qh|bLJKb0+0XNY*mG@$)2m8UO=# zHI{2!WN5+H;34uP2kj~rpN_lUg2QYZG#(nNh{5(D@_2`;KnYe4;Ugli*GWF3se(0# zy+HR$78*$DEUGLNbZa@EXe>tEDms8}5Nl)yyH!u}p#YMa=m@y3c;bbY9SxW;YAT|# zU^Jy5jw`Mx(O{rfHj{@@nBVcLY1=r@r5|jb%1uZ0*VBEp+je?Se?7tTy`Nddsv9$y z_jNw*|4$U>*d``;=iTXZN4;1YXRu+B$@!_y-5E>QU8#RR_M_utSPDK&J4WLGMOxRQ zGQn6t94rOb5SkJ3VyWmB3ZAl%U=(Za3(Rj|C;GSVfJ704IbjNIv7uf(x{h3u_!3PN zD1BmTWm-jVDoYo-#^q`$eIS+crWy%48!YI;b>V7fUwgFlK|dmf{`EF4wj1sMN%Rr&7X;r}$J*B)*tzQB^b@aPU=5X+-=`9`}N@#$mm@nqJJw?h+Sj3V1`0a}!%1XhspL&_LJm3E zW@y>a97`NTl`y%okcj20YZKaNdn^Ek+A&oDK+PS~+J8K%#Ab-qmIxCu)6xwULcn0ae5fkmePLeh{%| zCOZtVZUWXJ`nLgr@S5|rVoV0(_^MsAl@QUTj&q=I>qt6D) zp5{*&u&d0S_d(BP{a0DOp8JG0y$=7!DIeLTRS%YqGJFWDBK=K5+JvbagFD)%diA`O zxv~1mdJ7NlHuO1XuKHLVywl~W@s`gP7K`3|y<7L+sX=qnWeb;Jn(fo$JtIZB(YjHjY(xN#@nWnOD zuM7J66*~gAl-|sW+P~4q!MR&nS?S}Ri(+#w+qH_BAAj3%^!H(dS#fS$ zBy`ukx4^?|@8b)m+xLa68Zhb5Qqxm!&MfOcoVC?=>z$de%@#Z~bamrAS^nMk*J8)h z_k+!z{k}D)CLMbD{>69tV&U?m7MTXkjKq@~!aMPZO31lmi5t;oMgs&ijme>tQ`6n) zv^O<9&_JNAlKA+DC_#b~mrDd-yFAlU(6$PyhXkxx@TI^}%h`M@g zITznJa`HP{wsmOb#2ULNZ~y#CK9k#(=a=*T&ONIy2ZC$F5k;4?Jx|#& z-0alcZO8QLDkAMIt|oYOeyQtvwxh^Plw~;e`)g*(<=?BT?=KxHIb^dS@XYXKw(9&Z zA19>FT#!LY%5<(>WJ-|uSO?028O zHnh4lZq2Sg^&8y|`Te;1xqjzBgW?}It!hRF@9DjMU!=Qr>({TO!z+KBnSHUpeXa0A z*Vqw~(eEqY94)=6=1pHa@!0b3U)vr__MiPcuPpa><;(Ai+x2JGy!G#Vx2OAI<|XGv z5B3L{XT*2>IcsJ6PZ3!I(l3v>J>v26z!f{%#MZ~0?|iHCYG$wJaYcqX@5&aQe_wuq zrE{%5H{^0f3Jn zHh%J7>GRz=f5hW89KnN0=gVnrBlev2^y=85zxRO~j_=|cONSwyJ zlAG}jek8{4Dg63V@GeW1aOm5ly)^l<$>&32$6Yp0?$ls%A))J%{@keLuX^k`#aY+W zv@*~mxNv>MdeOsPyAA}N2~K)7-0R&t?y_YuKYA`HoN`lKZ=iF3Rldf$`q@1=>Lfz&$>32xzl8{rd-NxZhK{t+1&a(^;U_75+(>~Pi(rRwT zoTbxC%hKJ~nwYt`W!nBqG^yfrQl9Z=Sba4aYCO2Th0i?o!zHb&()GLtFUT=AFiP1L z$5!_*+m?LEdsv6Z=S#c!NcTJny3yd$zgyK*eed>liFC%;PNN?@I}u{x`Q>KoU}0*X zIQ##C-qWvmzRy_p%<)~a{p;&@gxd$Rx@=4~S^Z$ZVWX5WAxEZkaU7;%EV!y{$B6dO zPyKv()t;CE`wYz;Qu?CvxT(^vkpJij3dn z$||cAWlq1d!E0OB>tXu4&QH9N`=<7;P-eKhpCY64XS?1x&U5A7`frah?4p*9*rk-WqehqC$GGhj*sTV&1k%#Xsh#)}<^9 z9DHiTc;&K=b;7;h58MnHaU_fRhW9o2#f1pz)Lt1r(G5!?AN=}p;P-UD<$Xg>|A;w#LcP+76H|3;HO~;nRGbU zE@ry^0#bW0s~7(aPH!I^}&h8g;(Poz4{>Rodlo$K7eWo9!cwm(& z;DxO{-n#uwgVK_T^$i>P>^uE%@464;4LY2>lv`w5HkvcRY)_nJFUQY)6MpA@iSC!V zYJGXn0kK~zSFYRLktSc5yEL-;;*ve%w>jN5v1RY8y2sXaW>7FR9tINWdH zv4x#FcktSM`p5UZXHqjFz9wB7^fAf(cdyY2+w#xoE?vEM)qqjLU}KKooI$ho73B^m5$>uAAL$0}d zDRv&Q*^;%~FT{>@U9a_N+Z9WeC%XD^yXPmber?}a-YD(gMeL~b zyZ2xH(l(u{M~--BJJN1z=e%DXc9!k$pCRwD_ww85Be{zf>&?#+Ui|e3E-}fTV1H@@ zs8zUuIjw&O_nK%Z(94rDp`}vu1$5$OpU0-FCFp1fCV-N_KyX2ylG>_^zzt~PGW^L! zbCb{sAguoZP+>uT6ng1jjkPgH7d)5??L(mUPIU^-y6TuG2DRQf-g za#U(7YfBn=U5D(=YJI&0Kg(kc~iMz>kh6tdfGw5Lr}H$ zqEyh;R%{-j0rZ|Hwb+sbCwe47p;7=zLh0~>lUj0kU{gKOWZWT$^*~SbXfXTxwt$L! zTj0y2r+v}V1?Oor*ABe?xBmg*Ie~Uca~s66@8NLtJPj;`NGOX40df^W9{Vm{p`3lc zUW~3#;&3R<2Q?G#J?xnsx(Z!!)sRXmqprqOF=?u%<(THT*JPtfr2zz

@mzui*Uz zOJa4(=cpCk(SS7i6BbOFHc~Me1;mU{@`Jh|X#K(Q0bnReI0lEXmNw5sSMc(K^8>P=n7e!}= zuJu^aHH9Y7bAe`kic#PBrobqSYSA!2l1oM2VzMGzbNF(i8CKJ4RXm#H(7r%0e=R?O zpxA<@-6vNqb9~YE1)2p24)`;QG(dQkMTJf4!v5QIKU7Pz09NOM4I!kujI{z>5M|(n z!e<=?&SUYRN%DpPqU4Rw`4cEfNlqRS(t*EIB z+G~bzGMZ~pzNHu#vZ6pZgnU~}YV#aT6?h;S*?C$EaL*ZYSQooyfq3=^)(FWPldLKC zNt<31AeNkH)=zmTdSA!tu-H-)gzp1~1mofX0p!^&>mo3q#0Bd{@dlphmiYZ>*@UQ) z2eqyLci`dVp#x9Q0}l`qd1l+1cn1JJy+dpr(A1s3eeHE0dk0`hi)V!($#<}Fz#;=U z-m-C>S#Pl4i^&*p10$9}+fN}gcl83mu-&=;CLRRXY}Oe?_HYb(@}=*+{vX+L%rUyDs*m^lSlP$OeDy*VmA>B}@hn^PQ&EUdZl*LK&OgjWF`eA9+RXpA5!?!MW&dFE`->p%YMp7D6P+5AIq+YPpN|5}sl_Gj3SGku)4TMCbOgodOU zpFcEU;Kk)bey(|S;`+7cJ89gHtGJ6RcG)Z2sN678e9_}}W~-k0$?u#4vivqn)8Gv&PBY`*~!RYy!Js~U~GX-U$6 z-JEq(hID7mXtgtP#2;vI4R(I_T@QM8S9Du4{ZNcVlsS9QyT@%ro{7#0v=~8+03axH zjsQqgdcO6>DlGzfXlei$a+Cs~5E9wOkQ<3MH5y!e!9Y6MVDXt8qNiq<6sN^&5m?m$ z%*%+wMU-rZT_mS-8AQ5s{oNfJy6T`IFy%%J0D}|wX*NHQkb! zC`#!qG)7~iA#woK78h9(#`vmBc?Fut8hipJUQ)_z9lNN=$(lo?6pwm-PekLR;TNbe zkf&bQ*qeMfg+^Q)RgSi%Sd8lpMs2}l9GUN6Ay`wfu2PZo5gp@dxFsXcf3X=VV)iTL zt`=5Rb0nGAm*OB8DxMmIkTmOiF(={L3-@94$5=_nxWy;{nrIO@5M?u73h$H_vQ;H9 z!#8kC2P$iSroF$DCTwed{`BDv*A#R?+%VE30@0~A5)$qVdU_+eb&4mpQ*Pa~E|D+{ z@iG?ZP6r_NVbd)v?!_3ss;o+{tg7}@Xaeb8=6n@a zKW%x>9^}1PDxy@(! zSUHohMr%@cK0yzCYPbO=3PB-ReD!#N>ENPQ+8wc`PfmoWfX!yar2-5BrzhTi8{*v2bs4 zFeV2#l=1DI9yG=&i=Ijg4&R{crdi{(OpjT_M#r_fP#0GPy;EBODZth&|639uisbnv zIgvmA?@f2j0=xD9d96m@Mu)TuB3BvZR(O$dL&eQMTGFn0_{WPS2RSaCR)Rkhh;6Ss zRAp{o4R)7;$2l^<<0fx4t4js#Q>>lzk7}L`<={ApfQpJ{oSZmq#$x4 z!Ld}(iF?THfAsJ|M;P!xp=7sbX^E#-M?I|1p$`PH2m>3s$yk7X8}7+p%zJkVjRh37 zFv>uxC0~V$+J;U~w0I^Didq<;D_OfhWm8U6@wen2+KG;DG+;ojo6KWNtkjL0>=Szf zhHDE(3ObQwvM@Lt;_~U+%(Jb~U?5$>J;`@yEV;z%j0U!Iv`|6F;Bd13Sz6)tHb3On zb2NjYEhHCcGKuv9`16{2z~q1(_uyqxo85C3q;~c(uB@7@xBhB-7=7i`&nu?`J2S0C zTZ2gvxMfXwW1SE7dX|F-jH`(gWZRA$agK#XyuDFb4OVNjY!N1QaxigDVgR2AneXed zEwnp1rG?2S_MPmA6gPS}x-V{*A}CbqmOWhU=wUks^bL9%+uwNw9^%vxW6z>C>Dx@- zj*v|r33fU>(6om?Th>pS0`Lw*<4)O=)AWMTV3QxwXxt$|y+!`y0xh3iM7;4}q?5B8 zt(K62l+F8m%U41W!j&*sJSWCID+Rqox1Hu1l~1|#HjF3O@83QJ3$aArVcD+%!B__nTfh2mh?sbia!^L$_)b^BVhI;NS+9?J`6p(zdMKS# zwPj9vR2k3cVZxU~^tnvE>Q-}KkLEGYUi^6-&fzXwIN;S} z@KN;DN6Jgmd{Vi&%Y~7hHEIDLdQVQ-)!y@ zIT$SBGC0R@L<(!g!7rq*TW@%6LO03rW^Wt1iy!$L)LWOX(%`l0y; zwJ0P^9E?4lN3w4WdJ(+OLrr#NzEj~pH3LH>beAb9JF z?Clr|p0#z;!Ri}!Yf&`8{2jPIOO7QN3gSYT>&Lh;Xl&qd$dxSyVYDNi;WOGGK8DT; zJfoesZLj-+_(f?3cQFeCo*B2>{|ECam>T}u;y|k?Bfr+iu*L;`kRK6zCDwNZ1;X$^dtBm#QMPX7&IB1Jfm4KmO7J{}Y zq2DK6l6RwfqENypk7Y1`6w?_3MyVCZ_A>A2*1*_GWk)}SRkgaeNN6Z-;lNT*w1Nx9 zNi?gyhC^7>mt2{KnXi`DSwW^P!6tYpcObG^*i~ra5`@=U_x@<6L9~_xizsgoW?Qfr z#OoGEC+f{Wdk-wN1Ml}rWRyEg*%k#%0dZ%^du>l&bZUnK`s*QJ$^*cY*G^1E1A@Y^ z1k7N`f~ik3XIofu=+-PA(bHQLuA7J!2FxbGeU&o}LdiX5co348u2{ z;GoSa=5hcCX@rNbWvevXF=!HwkdbCZ~aEUS@#cg`P$8!6@ zXf%m6Af)876L@$171((I-Z(7P)x4y-(sPDBR?KdhDwr&TcicgUN7i`&t$E8&$!@_k zv@B}?$^58RjY|ht>OriobSj&AyskU|TFRbLPYp5Sfz@vR%`eR%Da`{=t;GYDA{ zXgWdZ5qVRd^5XK@#6w<7&n@|c4xunZ2JVA-3#se!xqLpG({vM7zJBx!v>}5u0(-*1 z8gf!B#sv$)=n6b8=y&ILfR@C@7LG~D6+R3QLxErLRaV|Qg9e28Lmx6Sg<$ER5=;}6 z=$`E5O3Qa6ilQmoLYA<@!M2RW{Zo>6>~5!-1FGC9%%KA=jzx14ylqN4b0LrL+Y=-m zb*b{VsA3x3VFo)ihQ5XS!irDAOgtxSE!WZ z^A`~_@5ZA+K+zO~x5&vv0k6#A@|~zc(4saB-_6X^=as2TSFqsq&LFOKsyqR z07(PAK~J1aa$xA#N}^xeuP%6}wgN=yjDWxmFV3%=_TW4EXd1==V@bK851g^+GxSzyVyr+WgrM+xs+2h0&*b8-JRw;Gf}|Jv+YNSAZLVpmPw zfoHn&H5w&oQpio4LVRMDytEl0&Ba=KEx(!uKSyfvfTWbT!0|5afis#HFfPD$9FQ_wRv}n&V2u|)Kh*BlVkH!$ zUx3)xj}klsIBE+b1oNJ;n$ncz|wtYmA<-J%qo;piL> zDw2deXk2&AM2go@N`TmrXnr8i7FIQZtCH$1=XYT*3LRxSy_uNzLZGT)W; z*F$+HdQZJRdqh=ikPn@;;Po#-mTcBj z_K0*@WBfN=gT9Jav`b&QnH^@SC*E)9BpmbX;N-+BH{xAyCI`&&y_ooU(}SAl_phJ# zpGkZ91@4wGzxyNpERe`eV4w~mmDJfYtES1bppiF=(V7PX5p20{keE_xu>yO2!4*GZ zVt=BNm4*&PAOof3u+K_?+X1%qnhZ1pp-q-bd_5^Cq?N+SsVR#zd;V-0+9qp`1^SoX z5=z(IN&&8u$<@TG<%_bScA}33jfoTh6H`j_7%VUkgnQD{F1A|CpFs+RHjAhi%gPc5 zFeH#0t|f)S7K=k=AkQMJ8~~NYVl=(7vT~)+6HOs_ zEXstk6)~PHnD=`t`dHAu0z*RbLRLjwTy`Q#7ih6d9I`wNl+8n_kAho)+Bw~_>0$6! z9(UfL4+I0Juuvi8PMsBltx)4Qy=#4Spq2%dNOBH(lo$#4Fe+V(7h^Gt=1cBgI^mIp z{fSSX(V+px7hg)&<3wa(`fl@e(0suZ5&!_Rw&eK6NhxPHjiv6fI~#!(H_YE)fXHzM z07K-aZ{|(W;<Lg)vQu1-_>3O=(eze)t z94C-+#R zx`??scm-?Xl@8!>RWKf*X^Mk)wG9dc9J=1oVt5%|k4vhmg1x?BH0hH!DF1eQswY;M1E0Rbl<$b3jCWk2S zkL$9dFItWv-N{>no$wj1)#f=@&|(PxoIGUYguiw|OglP^@G&3SBc``JX`ROf(_zd} z21*W_S5%}fivb1@laI^H=?OM~Z_``k9VERkXW-zAK3-rdNk=FuH^YuHRWw# zvWVeNWzO!o_ZoUM6T&6?D>e2gF!luJI5SIpYu)Rq4N#6jMZ-ZePFmCBq6&Rw5*}OZ zLr&Y(JfchA&Uw&y^s%AY1t7@vd;o(eLOgIUI)gU58X(~m+pPxoEbs(V=c-Ku8VEGK zV(@4PSzy%k<|UMavfM6dDYE2%8Qj{ZJi<)8_5|AWbM-UoOy5E|tEkm$#O`diJiiMM z8UPltlDvZ&tYO7HUG5);a`ZuQATkQc*>s|AmiXt)D>M*jttiDwHG#!|W%gR!{DR~T zkbrcad=|MAhX`kqO0Hf;lUs8b3F&=PFBaH0NAwl)`ZoSX9|r0OId4|u1m*vpw*YNs zAP#@cE~%Smm-_ymq=&`<>QbPPVgdNXTSU)?PnwC=CCHONay+Ic_PnS44j6>?`WgV_ z+(AtgGe$;z(sKU*<<<&lrs4Ys@Hfa|H5EK|1|}@#wbry{20mjv8U#cio811l3x=*q z0Pnm-yJ$Tv#CPfZm3l(aVk(TvCPVP8e7fN0(2W8%x~Y-}|I2X(-UEmM(Q#l$}K(K^-uOZyfr02ERwxa&ZDd6~&klHOfz z{q>6;T1atF!G2)6kEFj$4!xj&M>xV^i-%~@C5J)^t}%-L0wizRr9Z#tX0(t(9|8)0 zZIVIA*-?dj~pnZr2h&Y%W9)KN{(3Hxn9KsRX|T`EDWlMJ8$M+CP`1*Y0lwmh)`c+ed>43XfGoh^5fM3$xQpSOJPhW@ znDqVIu|hV5d3lj@1SVfVTv?sIYx-ui(LJfqrEbe1oGY% zCf>!{t{3rMOKBym;4v(5yC36Bj-&_yO2Zz$)MOI7V&A!%0gktvNnq#m19NZ9#4cbd z2~WSV^VNaq^I^31^9%$FMo7*cK;hFE9Q>rY76;tXwAKI$@&yl!Q_$h6nZ(`P*imI# zy!oOz6uIkBz-nrEJoK(&pbv%ldOvbDQNSW{33;Y#2-;Oc9K3xb^$|jG%en_@&XSWp1M8YWKOWBc|;qA|fT96vC_9!PCV0Z0O6QFCKTxOY}K zI>Ukb4Q#TPADLC)DNdfM01q_B@xs2K4FyzAF)5A)_~3E0&8Ie6l-Dtn>_-|#C@3H< zQ8d+YeKRJ%A*^b~-rStXM^|)}%SMO2-jKm}_8E{mPV}d2q0Dr#$%Vb|AL;u{dU&G! zt!0;U`l+7eRyPK%eN?s7{MwF-^Y?s8Z9V&V*uVv?Hnwv+ezD)RC+nRrb|0$1?`Cuk zABSC?TeA@s;YKif<8`+`w+@7D2FCk$i!K||!Jlj_3y4wECv#70*@W^V6+8+GaQzKF z-)6RUuE~!ScN7$WG#}O!i83Ou3M+HLa`>LTdcZrGzJ=3WHe;EU=HP5Czx)irr0F1IAnRp;nhna?Oxz?#_wG0nZ6lxvgC`!nJt-)u z<-De)ORfhJTc~G{usx+F}G|QAkli zftpLKnyGk^w-}9)=2&1iCm9HsuE7O$^Lpz7#LM+V8w`n<)7eVg=k5F zHeNy=b;H0An?ra40Rt>}S$nX1dPWc5?FXlvKc6ICchk&foaw17os5$@S-llf7xlK{yEdlqn$RT7xa;R$|;NW&u zykLPAPqjlNo9!TDBOANrtUK=8uwUJxkF!>}th#(<@sqMSy~pRgFVz3?<0UPn$Bdco zZ&}C7Uy2`>c9GILjx@RGFgj^c`O48H7WZCEc`@vWvv=wmzRN6ktgx`oaLGymILY=F zWf`K;oU~6Xo^N!`w1a-}_jkh7&Eq*@&S1-Gy~B#PcMpzO@$|Y?tJP-~t}#8k$l1Mb zT8VVFZ3j`$?2HR@pWF@^IoZv*Y{>iht&J7#7S78}oYQBly0UHQz^~C8{AAM}98Z~* zSx{9p$Zd5%%o+!arzu0OboQ3qioe=9XzaH8>V_|tH*b`8Y=3#e?1%j}$xGDfv^=F> zK=pzmsz#WvA4SD1_-Ynm)(ifq8_}u( zB|6eGw3$<01&4WbOMG;u=I)2DXo-gU6^YFjlEc8mbTC**jL@7(-p@ko7p59wAvt{E zDR6Uco%K)))xd19*oz{#ye7eQ9As9FjSTR#neW|{K>g-84l zlihWepaEbqD{dZ;FjK;ns}3$tqI!LF;KmGLwKE$Q6?Hwd{&&F8JIhwz2$@{NN6&ZSu) z%O2NQeN(^D%tPQVvIccIOb=&#JCus~6Z9=Av54G9FW~WsKKc&j{JmN-#)l#tg*aVn z^@@L@>59p^*x!@?N@|8_{NOYav zX|Y!ts$rlvY0L-!VdLGV)x83Y(cIR6Aon~Alto0-(_vw^95e{5wjmA-lnBKEVsiN% z1LUMo%6UW$e(TBcS?JmZdn8j^IpxHF9`w5#{a_fh;MuH z01q%{b&Cvw#wCdCn3Y5c>c*1E0ca(FL<#Z^1CL9HDZT?-iDg(@DtLtdct{YXJiD=1Vk-&n;_X%IkE@21e9eR#+qavab(mpQHE`5& z6Yry5!J>$^+oF>DbSaE=PpMfl$guBYD?Y_3LcoYmV;4S zVzk3=&h-iCybTBT_tFLo7&4hkB+slLVkp~(b&LlDR`NXaC4gS!ZigTgMdd!l_qM@Vb1dnE{7vLFw@01~ko z3NCifqUmyF487}H>^e)!6N(x#g@V=x1vSeeI*wbiVSYWDOxU#@aS)iK3dL5ikn<^} z6}Va_2TNFpq$+er+t=u8JJ1}Gly%1ZpeHsRcq^AC>R9Q`)q4|m&glM7`nDsi$d?nB zi?})6OcxDWqwf7SuJYT4*t+gjG2t_-^BWI7-{cKeXM z-_r6%7fu~!^`zup@7mJ`L{YLaeYQWX>Dp6yX6whGIpdCBaBj7|_<~-R-zn(;qt61K zY`)>#lx6Q`-SNKl{<4Se!#P1~dhg%iGRRCk(y=(9LV7$Z>{Q#MYt~K-Gu?b+cQ@~a zOZ!jYIx+*C4@4S77L@uO$zK)Z)#~9q-W2io;iLMud*GOLz2I~CpOC=)^r0KGYmfbT zKR9e=#1g|H@bwmfoJAgbH)ySS7UZ(+P-D){f*M^n|&Tze^S`FQgGp(!;uf{25;B;KPx-` z@>_4>c&Wb4pDn=nWk1MCvF#m&ypY6pwK?iKRDIw&U7!R{4eY(4DpGd9|4 zLopyt7!=S!GYg9rOJKziyI5&nRTW)LoeVnN)BPNJ3K7C4C%SafqbHhJYgJ}bNq57x z5m&!#dUbYbP{5@VKYdIRm!2}r*M~Nsaf{+RHYhQ>MN@b*hJ7vMV_|%l$?S0H&RUYcuvogjEqWmm-AP0N7 zh2J8|Smq^`VTBEH=0#V5!Uo}dm5F`NYMFUaYFABHG((gVm!rKE6e+MGC`cGawxM)u zaEYHrn9=0m_@P>gRI{}Uo3l`rZqen#irslO@}CF4#VCBY*@sN#egAlPoBOp(%T0D& zvyI#Lon9+8N5YF|UYn#I@T1!=EWC&>@=)6c#*_T2;Z!VzbFSgb>-SYF7uxcFoygmt@uy8)-}gzgqE4PVzjdPO!{zbY8#?vdYu)AH z%c$WEV{998x?DaMyK->c$^+BN-c*-veYJ_U+$Cyf=#XlwTF3aD{>#TbJ6zKJz`Lo> z);X?(POb zx)DK2X(^?Vlnwy}B&7rir9vy8Ty#Me1IvOE|sljSGVT+<{~m^U&pgr3$6x7V9lQl~5b zo|Fr5p5iEyuj`z2=JkL2xKzyB{y@?DtSI#~-1CE*Ki>p74a_+24?$z!mhcDL9<7}) z-63hpzK1N0!AOm5COVh~t#Z67-OO2E7(Nj&s`pW*_CGuHvtK?if`PS-O9B8g-gku| z4y)|9xvv(&;@+z@{PS~{^|sw(xeC>gqu(y(8zvG8-OH^~y==8CymBT}O3-?UWsGZrMx87w$RLWr619Fu(y^gieIiKOk)VGcw#yv?&W z9w!M2O(mCu`{MNTK_MTk2>0_W*nR#z+wQPts?6V#W1BE;BiF}ni_c6JJCL6QzEr!l%Sg=rlK~k%dm}OE-AN5>^tqn8 zyt%Sy=shxXBS!6e6P-D#=r8WV`SE_EI=_PpFLvBcZ6#T!KgwP9aO7PFs|tl9=lodA z=Udd@RS-V(-0@)#GIYWua!6ZMwvGAojys%{+wr5K9J>pCkt~*`OQM#=ZwE%lp~(M-`=U%$^^&BPH0Y zI??h`4RL!KwQp^|cvcuLz9p?bxDeRJbTDr(dVj}{u40qXnMl@1{5hBA?59{1!4DIy zt6BcXzJ=&cG-WnkS~|??b;ul@t#dv<2}A~C&V-bWa0L`)o}3>QC~mi$?K4E#`L&1N z`#j>2{M`?96|E#UMz%$SfvE>Vb^Y&~1^9;UYy_F;0v6+3#_n5>_=KR}(800$wO4W0 zt4DFyT8SF~(}9m{R{$jLXg90eU*ypy_i2CVVLK?owlp#a7F|I^*s}5*f9qqbYF%Za zN7$hCurzXoeA5ClZeCu2d5)8ASfgTT0+}|ERlLla+;!o%gMJEw7Sz%Nviw4p{jxmZ z2V&a|dAKYglYg?HA~ztp(ci|Ji#C#X$GBS{5I2&4h9}@90RXOzN8zdgP+wVb8@h>r zG;9fQ_WUm%FzJ?ME4+eSn+>*hg05jum}CiX16V^=J_5xk4g4i2JRjMEy;+!KY4P8! z$E3Tr|MKl7HyZl}@AF^fdJr+TFhan!&bbXABvN_bOeL3i|EG-5`Mob_{m^rwk4# z4N0AzhaZ~3KP>5{rL1YH2wX#P{VOQvqs z#$A_>3w(3b<%PY+it978GnOW6i8dN3r%Z(l{6@9G2ylp|wU{`R)AR_brrjwEFL+jU zP4!K^{-pG`mu>D>l{O?N=K=O#+j5+*s4c98{1)zOdCht*l*G=g|LFKIE%LWq=I=f< zaqs#^P3w!Kd(7A#>e2#AXbo1RdjqSVQfl>=#jL;Ji{^f!6C-S5EX=VY-97ujcjyyt zt}yS?!&i9gt2F9}m1jM+n~&IRd&$V*LgmAH-UkO%X}TT*nomMGm$cirQ}!*x_5ZX4 z%T2RWSZ$C#?)|!4y{lp(&1LYAt)h{DEU61GbYG}|PcUuvOK}8TG2x!7Pa?O&WLcRO^)^AEc_P9Hbb3QlcyzXRP^b`cFXQb!@beI zA>Y-3Q;L$5a^EwuI`93uxt5dfgpS86yXSi+4K0a%O0%bv#fL39*o}vF<$mX3@6V4o zn0<~jmCla!n|_~om7ni6X}0_+m9}g76{dN&vZEa_KVp#oVD?f*T3j~T01W;KYQBn`zY+k z@(&8jo~Dx-zee9fx&0k0yO#YK&*LDrVC?hL{loLT6pAMCc!RU!_Whmx?dIc^n5^-> z^W#tHdjb@{h4Y;T_A;`(_cfAKsZhEKKed2-@NauWUa@sO8QNCV&a%@(bU|J zxnn$%>YcHyh~&0*U2HP^PH(LuniQg#6xlylki^f0BeA0M>PMqIz$uh#=0uCDjr+u= z>%i<|ZhCT$9kJDV&W}C8=e$ic=5#%}EI<``rya?CQ!9&BPTE4*jxE+maP3l$S@Dp#zt(9~-3CwMB2Ibg zR)Bcp6b@btDKRWA$y2dOUeoaaB)xVN>^&h)BFEPyYCIud3T)qv^d9kv+X@on#{_q; zz=ZII6(jrDPrlq`S|>8pCVbFnigW7!zV1yJ)^NP|b`PK7G53!OK`z-d(KiCj$XU~L z{bR~Dukr9r1ti{7siyGF*G<1kaHO*P9&eYn`!>L8zBv^TRh5|dpyIwTHs&fI@Jp4m zb1WhH82#k37)Hg=7#Hbcz}NV+&>2_?&qP!474#Lv17d#pC9^&;iPPEC~rb9Kn4 z1|;_s$NNZ8QrbxP?TkAiHj@5%YmSKzr-)P72;Wgjp6p`bjSr@&6PX37dBMjsS>P}E z7jd=H&?IFIt=v)#D*Kf!Qp@CIH;1|wMGo8P9y;A$Qu6WJu$GxS^NTk=EfeN&MfzZHP>H47QiP@OVCNy+$9n3Xw@v`>7p8YBhXr?kQ_V%5ms2$GIj17v zts_S$cjH6G286vA)>0iv$ec-V78^ACs@?iZ3N}lybJ?sW(Xh*p5?C?3902$1P0e*{ z;Rh<`Glc?mKG1pf;x{HMX_bB2qe%67N&Fo1I{`-4Yx!w09`4VuNU_aa#s#-39--yT zVA!R@SlnX1jc&%u|2UhhSBpf19Z)$$nj7)dl~xKt4K{XYhOYK44}!2sDo>%7rWWth zs*`u~y}iT+eHuTu!;SUfs^5f+ui#|IhOixolK133gQ;tO33o{QRG9Zo!U7AvTP{uq z`wSt97KH>&)$Lm)BFc6Y3#hWA>=imK6@`X4&q>vLkcLZ|hf)T+guhp}!pYk7zLbvG zjv{H1qZ-&OKT`Icn6SvPuWF6240^4oYTQKV-jwRMxFW@@BPzX-v@gs zlo^nOvp2-4HTc}fm*w`}U>qgByB9|A_ziiTqhW_lSF2Q98pDV9DOp43UxQEj&=rZq;r+~=%kHlB~(Pzf6lMvedeNlhqekWt$l%P zwk86>hJ7hbK;o&$Q^Ah2X;fQzW)c#+-$AfsP3-$Rt0zI$kyI1(*g7akIew#DY_x4 zN`?d_l(f~nUNTesCK>;6qvU8SJ~(TWXAZV%EG$2SOk4y$E5L_sTM_a^^&O4u7|^d* zC^#vFP8R5~Hix|$h$_)0H!*lAR9Zhe-CJz?);dbcA^8^aIcv;BuH9{Mks=M^9+G7C z=DU)w9dd=g4UDFhau0=yxNRmV@U7MjEKBJB`1H77;)g=4Wd((3rf%}r+Gis>W=?bx z+CqEIcb{3VynK@Gnb|OQT(8qs$jcVPQoptn>3UEAc$;p)V#b7=hO$Oi{DtsqnO;g8 zdv{3OMCx3pd_nW%Km)PN-lXBf_@sy)G29`0UEWp$m9LrZp8}pD8)w@Z4>8A(#}zie zV$!j&+)~m|x#Nt@yR+f=!bQNE2A;%&@>j`Re43{8^WTidDI39|+9a=2Z>hCnm=W&^ z#AzHR*<@!rHzjx*xsN`i zqt35l8?Nv7t~F};nwfjSJN)RU#vzq+R6kS;+(Y|?GUjB49C9|chU$N!Zw%(9!B%FN zEOA?iPj%x6=~r^USxlm&`OzDRXw0vZ_qAWA0!cMz(!GiiQv{wruRFUch!s8^5$9=W zn1|<+>R(#?OSk?wSq#E(H}dwGVyv6mxgcR0eenFI@~0z`Ksj_8p@Og58?XQiPh^)h zNhpV`6mIbhwt|0{389`k)J**X;s(1TNM&o|# zk!xhcZT~X2`O=q7C?YIkisUH?*hwb}tHarmh2-m7u&Qfc!nw;U-VrD7AKEBJK<=nM=mv16SLb*z`MtgAr+p#2aWXz>ij_!p!3%-hoO9=taft1pL4?_gv z-4M%CA#YKPl%4za;}sDYs2|m>;DkHX!pU7QJy!PNK2Avsx>a^zCiebb?sJUYVt7fT zNcJ!-0A>x#U^A2^HHV|ZmUduySi&rdK><^w{BhRnaZgA0M1v(Q3#-#RiVB7L;#pty zo^&qBAy1lq?fLR(oUBPF?c;lIvs#POykY6KMP2ySmDct|fI)z4^8+r$#tu|f)96z6KBfID7cDcKMMEa%te^hb>AS?qz)gPs{hl z0#wg^Y@fUi^-}JzPD#gYo4b>)EG>!r#H%uV=%BEjE?L-h39~2J)elErNtQ&N#h+4w?*y{98WInSZ zG1-XeYUCm(!nwT@jBF<#;HBN(>tq4<(w!*H2c2%62A?EQXc1NvCGpO44zqwdOc#_& z>)H87L*33fo5l(C_w&6IqdLk;G4rRMV&JzT_mG$rd%UK(?Nze0I_!KqZ6Ps~41-zT zqH6=qam%^;0Goo&a!_*)$ILZ0_g)sWi;#o0g+VeV-cTj$lt48XGoz1G#1ipjz6w%) z*&}zY->0RUD(i{U`D==gorH(yCcp2`q*rP;qSh`=@P^>j4OpM8ywc1V_P5SAa{0qA zpJI!V+J80DiFI;UM zd?#|{?JVPMtyqtk;lNWNs;?9N9-kb(5{5OZ&p44bnK1pL{=lyAjRT#VLtjT(K$1;| z5@qJg!&v-nBe;zDeCjOxjr(81VfR`iHolJD|6;H114E>E6n(-&^stFvyf(5Q`MK6W zb!P2qRq<0>jsqSHm&3~7_lev%GZfoDE1c%Z;N&`d)Z$H;8d}8a7?~3!L*dJwFMscf za&JOP4os=pg}tRjM%ma0ztlypM(};Q^;J*H=Pv-Kk7ykBRY*vK4XXqgyZ{G7*ZZzf zFnpbV-Pc#)@yI43!n_q+-&izqM5tJbX=v`-rliJ<2cc{0 zCrY^=wz74O$GNM=Pa-|hi3`v+j&v79%+}(K{&^?Re18;PYI_|%O8s>@iVNEd7E%i| z@(P(nX;t(ODio=D!s^}?Z<%g+KN}b5kyMs&$ehU?PeY$@S|~mKGs^E`x7s!p>)s?g zH-$^wTt9{#h5V7sTC9z{r#U|0ke;<^YMEpJ#qI#s^MfaM8XT19*7#zrr){?GUI7_^E?L zeJlH)2uluCuaG_;w?r-~J11XHwEFh@#4vOs_(g}Mc=h0be|%Y^0PM>5<({Mw+GY)# zS&xTvE7BNrge%nT3#2+i4YeJSO-!CHvA=%ZtM1dHM(>)4uC244OL`(yT824>NrEmh zvi`#6BQEVeKfJ$jiDE2L&p3NIVttTa%NhThs82ltv4JJTI>SE*nj|A;CfF8i#dZZS zli7}6=-<)DvvQgNkdZ~P8uSRiX^uj=r9EF^*oNlNW9*=xQhn>&zKgi$x>@^@9rGZ+ z`e*U7>ikH@v4d<_Pg-Ga!Jp1a)mqNl&iGhEtn*mjx1=b>BS;sRVaV2R5mG6{YZ+0= zt@lrSO68!dqg;9#{4LeGM21+~`zODjI;n` zz3lu&0jqGin9V}{?jN{5Q}ehb!^qG)x7~J9dlhwn{_vAuH0|u{M8H$-8a;mgIzwq( zaa{hi+mS=EPGkuDu3r%A$;L$JO%GveUPYSx(56-~p2@RlS<@?(DLYJzW1%`?jk z8`U^!eM$b!=Qs*yD==*^#$sul(vu}$){~oMOc)5hBh?nTKd?$7oJ4Zx9`9@>;qFc4 zF|_m}Z#!tJuhS+h;&TzshvPV+hxFiP4Yei4nMa+(wv_MvC&)W85eni6`411Pe^C zE@%(u8s6Ifgp2VaW-fJ_=TECz6E>5R%Njvx>v6~HTCMq@_=HIqjAl1L$?l8Eig-`1i_US{=HwO&H0gWRFt zP4Zw#Q;zu6cb>=zr-#WJI0R$ZRmEZ7>i1`AdTmboDo!@hl*_T*eY0>!gx_nSTM38C zi&ntse>SL#EA}>;Ct_--^0M80Ej-VWLO=-MaC*K}Smr2DNc>s+k-sgR@*hKrk>SRS zWnPy1_~o^ah6=WpvVMFUzvnuxM)5Ex;Uw#*_KkiAeM$x!Ms=RlI1&jScF5+NE;)i_ z<$NoKIe~4*%(m6SXxpSJVQyVRq@~vIZ?rV#s8k9X%eMEU43O8eYpG^s#DzV$kNI>^x8b)Q3VzjXM5&FepQK=$ zuL;#R4I#*~ULSw*mPxrRDZ__{VK-i@%mbm#DNV?%tVB-KG}zw<*)bU7Kfy1#CWQ|XC`Ts-Tph}01x8sUjZInWs&tyy$Om9&UF z6Xu8Wc%^4F3H2|1gpN=Z*YMX>pO)AFErG9gf$!)+Sj?uVj)oYNg5d<=p%*TUih@N~FCl{_7`E-YqrXVDQLGbp+_~OAtWN+=? zcK+Y7a5P~)$Oxglb${kqkMV)qd0H#>xl7ZWYGt^$VyI3BQiV}8b>IPOJBKsT=Bjth2v!`ERgA%dD(C!&dRL zQWr(n*>brNoHZ#2?FhoRu zQ!AZ3tZ>v%t@yHsOM8t2)4KknxTrZR8p9dC*F89WJ+hQ+ifH6ol?|sFE^BTM{!X6q z<;{)W*J_VY&We2Jk)9&=vA^5D`>fJ;etLT9pk^~u<%_IawWs=js<;Ty)ht{t@-DTcqZzWL=TL`9Z(W%Xd1H_lE1}#c6Im#_sg&o6cFq zvd}*hC^3wv=;{~6OFlFy&dOgL@^)9WBXexW)noOG(NkmzuM(~EOCTRaB z0i~uCf%M}nmrO6@NX15h?9Z44_upZUA->mVr|j)yw`ou#`Gzl7!khkac_~$)NUaC` zmj0V8?a8?qWl77PgpHz1v=8+olKg_(29-lGkadwV)@##%z>!B|dDB7-ac2|xhe&W^p5Hp@Sm}A_xNGnp z0W!r%yJTC+B7a~*WzL9N~XAcP~xi36+3!a0gupvCR4wWOu zW^~@ca&T+2`Xwe(tR=ck^U>b&N-67)p!+BM)-&Wt+{l{FG%OXt;re{~@H*vjzn*Rn zi?~JehU6mU(Bwwlg&|R9AJG_np})O6`YPQqHlJ%UM~}}mIv$OqP;6UsH3c# z@M`T=k75R2EoBksqK9WB_I1U75mXV^@BEo9$7S8p<+Kn|t*?hEc1p1iF!o28IHvXrS=u+8%|eJ(xSj#KD{q(1Rx!2Vpcn394XK0XNd&L@j4+_KxD z)j~zW>@6Gqu~Tv%$>U+lz3x@T4hg?0?VB%Uql(cfL<(=G%vqs3Bf~Mc^+0~0xPkXL zadFeTr^i59%1kNJ$8>|&8^`jcHzMYz`f`N`X^S_7SX!dUKF&XW<)ZNTeP#a~-T4VV z9mjp2k;qQWZG^unqNf()Le4t<4XQ0HPlW$jVxxXbGb9~BrBq%00xW4eis0oQa zj9#nFN{2`s_ao|vDFKJ$r!2btK84?W_qDMfs{75gwrcZ4F%W+|*gVlFgKMmrt#v-@ zYOPw&{{Bi4mXwV!hJTeZ<|Fs1p8W5DXz$F0T2j$Iid%dwS?;OAFTM5^e!UdOtUFtw zws=+XRA$Q*-B!}0CJM87_bBs)?6*F$lCXT8_$>79&gS9q{oc&)aY>I~(tACTZ_zyn zPAOr#Q{7;l?fbAOY)`;D_6ZF!*6bS!L#>yM?pvg_NZ}&A1W9qLCyNh+*R9$&Hock- zvh?-br_5n)y9B3t9`0$dMzofpz zGT;TDachwNM-0Z%Cx!8z$h|E>)5OEiQyp!4il5DBJu$-&7O(0SJ0-R>UN_UX=L{$G z7LjS?vo+gUyoZ$3SMZdd*RVpiwV_#{&mbs?s?{k0@t2pkk)J~i!7|p}XH%}2{W)xG zsZI{qzxE6tN<2Fb{$+zTM9`~x_*s5qsCB&tu)S5B~A8hV7sqOs0(J+ zCW`@CZKjA%*=+vNW8Hy3oivhKfEZpYo_3yBoBd>^pi8oJU$j*XiHI_~okjf4*H-G5 zU1RCwp>~Ya;vN4ci<$(CqLxEb?dH3a<{pD*WX!S-^)-wpt>XzW7^pOE@JC#R4?Y#b zJlSEQ8Ofd1uAurXsr#{O8mVwU{5!eyID8ROxQTc2{T-P({S}-amhVi)WnHU1)2RT9 zgK-~WEu6Y_X^|I_+5?NT^abgy;6B6`6|H|oeNQji&|Ae-O{F&4C>gU13hdTYH(IPftWeBJL12N)IBcQN zs(V*f^8P@sV=o)0%jhqa0Wz;O>RubF?q0`(5$lKI%NWLab&5l=$ze3!&guS}3?s|k zjA47J#>kVbQnW2EU;GaGt)E@SKxIz0nzrS2R|^w2ILBmtQtT|c7LS@XDD7T~J?EF8 z4bfyfF`VQCKQAV+eQv(ElL=qdvlm}xYpYg2iKaB?zi&#ZK2r5#EpKWlYo8}`6%a%z zBlmc2FZ#Hm$fR)+IqQ>esYm2dc6Mlz+-mk<#JQOF%JSH34+BN$nR|ztTCn9EPyTgW zX{gRAiJ|0bpcGl3L^Zmxepn9*W`}NRL-yV15&vQ^=m2&!*cP>C=SM{KO z6;^>tX)Wz-fEc@w5K!IB-5`|RD+nlY9Ml^yV}gqy>>(kOx|tcTiXggh2kN2Mi-3zD zTma^Fkd+k7Kp286oCR1$(+ALtAiyO!F1A1jGsr3{=7By|=_^=%PdAktupWZOV`b!G zcCDjJkySzNs+;S!=dK3y@qkvw%G4CHY+6y~s%HB2jPg(DD+8*ku==l73e=|wgM$Nq zzl?lQ359wB?Tn&ARKe@1!q8yw(mhmJIt8@$euN4O99Qe*@1MH@JPFEHBX0L^!-Fh? zW1Cx25LnalW=0zP1(2yZAf@PL?Fv>9V*{3EUD0uQ8MEC0C=F~-kQO-z?4?j(0(LTi zIjcBo5H7&T!GlXnNyav#1-4c^1s6rpC}7Dl0oM;Y6R?#9WQpRS{ADGPbO+}z=<5eo zfCWVTS@&T7Wyz;RWQaa=0pRTmq~yHj1_t}(WUjn`Xy4X1=-c;73?zama42#;R}F2n z&W+!pivf8hD+_0nr`Np6Agj!v^p!i|NYA+e`U}{dSh!tN9_!HM(y9^ZklxUp{I{}v z(Q-h<1QZGVL(V4r2gWkRM1HGwi1nTUX#uEiVu97pwgf%Bv~t?I>R7sJFM9i9@H{nh zJ}T#(1s=h!XR=Df#YUbJf5N8M`~!KrnZ**ri7ABJ|-wOn(bOK z42@&HPufmWwX|Wy1I&6#a*X>1o|Yq^Z9SVQAqh=-L>y2ehH8{}f{&Kb%LDUF32|bF z2n9PUM(r8krw@Izq*>~DhZRq0Pam4z*Q!~!)r|#M)&l{HFP-lvh&~RMGl5B$LUm%g z{eXtX1hog(3X%z|n_U(J$nyn$6r`970E4$2aI>IOhv1)f3s!?8BxN&D))im#%T`4$ z=xP9U&sw?IS(!UtgHG*c9~e>u!>3+g=2r650(k&nU_jRUzxNSXC6FL8>{ms!z?tC) z37~>^=30N_EifQ=0T}TVd{T^Ip&K#)W&azg3oIY9x?vk}2 zsp=albk+j!{`atRhOGZB>*u&4mpLGb6@=`>10}0^^NlZw+}&$}AZJTX=z8d>(~3LOdL76c?z>ptY!{tU>wP;|PL5 zMkX+qM@sNWGSmjI_w5MsR8VNA`%is>P9kd~6C(@vYoC=@>@ShNJVr7OAKZZV5)>m^ z1Hn6i*9Rc4C**-7)34CWAv@IF-*+ickmAS-dW;Ct7*OCf7YP(~bzaY;2a7=07|8am zfdsKePQdnPh&Bsgcc3D$NAOBmbeTvqblV4cZIG~QfecX6-&iK@@U9qiuMOJLKr#Oz zt(bHJg#c+w*@1j`@}Gn3RaN`;lo6is$f-uE1cP;X)@9{Q4%DN-KXrLISyM+l*Z(_N zrd|%YtI3M0e)t7_vKNM7>kfdVbpQ^uSo$v^stA`BD)h7NLJ*LS@LJ3y!>R~mh`J2n z()-X#p$h^XC)U>xLS(Lb(e>pXXh1(sF7yXPErWCdAP&O5%VTXOmv|n!{w^lu>}Y5F z-z5yFLRO|;r7P6Z#6;7Wn@$MQnaZ$Uj^rhgweL+QA zkljBr*WlK{VZ;@j3?|qf5u44Vq5E90Tu96inJaKi;HAeCM=TZS7LdUwq7d*K5B9oF_lN(qd9YDj!zz@y!V_?y=p%)`hF~`XFuI1VCZoW5g{}5$ z;^ZZCHv={afC-QT?b>t|24&c;;LFC9*0P|R1lU9YW{yUX_!}|`EVBKV_tj`O{|M+N zdNHYMv~Jxp3V(^+Jmr45K%W%YPXQA!kZx1qiUtDHZ}U95u(mJ* z0MS{T4d<2lyxf3UzY!xaPKj0@>IL{}RdS3w^18ew2U`i(qQ# zYg9m5XxBQDmb^8V7~=@!(UA38r~F8%H=6wA{loBwFvrHE>;GZBZ1iQKrvURv|2389q21_F(F$>{{=i?SB&M$`hg^9 zoK7t0s_5C)Y)y$fW3)gtB2ZG`%{}fxP;|rm&)s%0I(sL`%Rvt-W7(zNG_@u)ZaO;G zYcpiM+HdX)nDEf;2kfH%53N^s4+O2(#F5$!d8Vu_+%2woj}joP+r@1R?d{Wd(5D0T zYyT}ZU7re;KPL+Ou#Xqfc3u=GO*A0eU{0&qAmN?lP=2`Rk8-u3On7opx`u3p0KM($ zh~*)a=0@@7Xaa}PlujSaTGMZngRi-DCNgHAHb>uoY6N`tT0@?AJu;WaRI1(`E$CW3#*VT+#FQsUrQ;=`?h8g3Ssj0`i#wD1+s4B6*Um)6n$* zwh0ivG~^wl2Z%3y6?4n9Evnq`*tRpdc3k!-v0ojR&8?5kppWHZO&~e+x_gwa7^FJH z(k!5_30N_zjdH*8`;Q>hB*7;@TZGln3wqvEPPA zp!_>%|Nrl-!-bNZuOW%`a4=nYCU=Ln8*G*zLP{>sZ0N9Bpf78{y?m#%M97tZX z8T}1c*B)};Gj(6CuK1niUg)cf0Xk3Zt%2xw;LGTBNislwLC}@-%8@L;q~immzJ@l=BqMWqUQtfJoq}#FV7)*>T`(;}2Ch5IP7f~fOA3Mpd7w-p@jurI z9Ekw|bBzHe|D75p-Aq8lTv>&|OP4pY)5Q-x5(Doh7kdlH^ez)y_tiV`lK;ul4R@1^ zJLGZ9RC>iOr9rEQ4}FEeuExdP5S6Y!2vbh*$qsGVidT`zc{A&DTEt}zh&O{IfV zdueb5VB}L{hnM6MUIurH+*U$UvqLM8yN*Pz65+g1$z$ zL>sg=mZ-|9|KbH~fs>lr1<>jsf)f}F(nHODmIL?=IjG;UflTZvfWC7DtMPYI9j2Tb z%85F97{;*RO~=+iG6H%|;r*v@kOkNnnRq~MZw2`>)=M)Y*PtYUZUG?m*%+BRLI4k& zbSuaM0YNXfnlL4s6m<20wi*zQ41)8pTcKb6^0A>%Gy3Dr3<)U0>Drm4(9b$JbSdTw zp~(%9tuH2I1%PBJ1CB+J?F#MUxds&v^a+8SkIl8fM&W8}Eq)%p!Gk9Va1|)P$Q%Fy zUWAC~75e4ml?H&gi@=N{kUUL>?UOj(Ma=nvJ+2J|(+_g%|NE%8P&<%Z>AK9T#K4k4 z2r+cEUrY}&@>96tH5XZni-7K1FP7QS3UF;|ti6hCmv$pqA<+eWnL+nl8zYdI>vvNH zkfi@Er*Q8XZor-ax`L2?8tTYoVU>fEc%Z$R{U_Z-Wo*7eg-a6=u10ED);GqC~ zJ?!mK0t$!BTHnyUC%M z07q5XY2Y0>*K#TuDHGrGpVKzkQfu9nZsbw|dGQ?su{LK4RatKr1wd(psb@BiCV{K5 z2K8+g$d&_XzE>HWnq>ZL=oSO^e*hp);x!RHSM@9%MEN&>>;<1!fa}gn;mUQ%$iN9g zKd-<$8(?j0=i+GlpN4^l=YR~*t@mEtNwDs|cYwaLFUDhYUCtFw{(^9~DfIDx?H>Rv zAGEjzK&&t@z|s5nHsY)~bpxjb-qqJiV}QJ+#`1j}pWwN`#((f(Zy7YHe_v`YCS?m5 zJ_CJ}!Bc20KJ@)`s3?7bX=f0G;B3c=dYO&x4p*V1kSS9j&f<$WXQ4ghRc z*Pplt{=RKvxNQ1E-z%3QAY&I`p8nE|aEJr^po_Se#x)77mje8KwicmJ0~{cN*!YZr z(8Jf%1FU9J0OAi{QRy|zl0AZs$Pczg$V=tG)nngvbhW>CeWiW{L@uHP$DPqg^qtls zAfsCW=p;i%8I|#v1wC}DLbprE;9&rG<^PW|PPC;OqZim;Sx9Fn)WS#x+6e@NuLD!T zUl0llUSa}DzyHrKfLHk1yXe3bmqa64(=qfFz7PNzb^RrfDq%7$f-V5OrvH`ZnE)$0 z2QFPi)cO~+8yd;A3*dml<<67lQ60VE2q3TcKtButvkhEX(6cSQ_?q5jHI4x@01cGO zWBupSf+q%fff%@|BKoVat8&;&xx@r)M$pqu;C%%o-hgyAO1;3hKCs6RdaL#>e?BiTYxh3>S^>kAe>UOujG{N1JO&1YiI(aFs+z{h4J7eNy0X!_Lv!9C&?)v}F!v z86|n8OP$l@m{mXzH!eoxWMT(dXEMN{ICw?=29Hch4Shrx=6kJtZs2eA+|Od0Z_v#b zR3T;qtiW?L@c>pzTyu*YJsh%S^1y0|%iNJBm+=iM#4gMkGHEx!aha=mYoaj@-JCCM z$MqWP)Bs1H{N)0>=vcHvw;ixAgUn=HC3?aLUzI@*kidV3Br;&TwA?QG`u8{dJ7nUX z4VbvUp82N40((1(!>aF~9r^DJF?cwTx?#II#=#|y;FRH2Ezm$}LMp;VP4Ro`wr=Pd zL$JcG1<-$EXE&M5TIdP`j}9{CVY_zdUv(-x?aF)cd+%G|Z#>aA55bd{Jn5vO2TmT8 zn*HCmW$^f%A&)z@s~2?l_o7nJ$9Ey%nmU*+F>2}7WnV!T0G=S^g@p}-gZwu!42opH z6{a1gqT$?cSi>(8cN)R*cR&^0g8!Ty*b@LrBwhaV-!3|G(bK)S-d1yx&1!sUv`+P6 z>OK=QPS_k66TbAuKc1vCB zb3Agt-yy3d;=45f!Mg*$Pp9?BvD+FV(W4#e@GuB_qSD&&d9aC-+M(7 zI?5cB>2y}0_X{`oRwhkCP)Bb<#t%kuV^$Lqy>V0WjLgG$kKZ~N9}LA^@vG=+E#;XJ z@7+=2K-Ne!y0hmkH^4-HP>UAxrh2+m{W+4^YLeX>ro1AOfzPhwD`jE(gaY;N_Y~a? z9tq$XP{VRy6on?H^#mPBYf!E023w*yX2B zRdGkhV(yqz?=~wsSduBTsSrQ%qMRFu^$E+DcYkfTLc8!zT{D#DOt&<(H>PNqwaZP0zNwCt9b><%k z?CX>~7VSAy>dwd|7QdSjvTJeo(?l#|H;k-HY@E#9aV(2GL3v-^awYq(t?B-}h?=_s zjDghUQ%WB@H@d11JgBKWQHvN_onjw8)rVIM!aW7@>$bN~MX~tc$YGyY+fF|@+T5Ny z>-0^V4>t<=wK5yTTbA_==_6gED{|&!km}Y@rWn2XhEutq*_q_@%?EcKwAvPUF|MO3qZyX#c7k=aVxD9lrQ{T{lt%nv;}=a9pZwtDSQ zQ$C6i)Q;xIMY4adEY2;T<0)Oij~f`HP~V0P!TUVKA_u23=uDif^d{wWu-q%J(2$7T zEtX|teH)(q4Wcut#@hHBrvtN5dA8Jx+^%YjZYG!?F8%O zsW;|+d-(JDR8^)8M+4iezAFD4E^qPtc@%MrzBb%SAS90T{MR|6Iz9J%?=1H`L8bVp z$1ngF)8C4Qi@v+4Ln=Wlt;d?&(IVXIxy`t(uCL$y(#)57vS*^`Lz3;~3_rDCh#zFP z-AIVbxc}|21cNFqO%H{A)+ZzqPB|oZAD)nY3!zd)&yW#DW(PSg)txA1CL-T~_|AOC zASFRt^cL1?gJ z<$WN&n)&Pd0sAItO|oz0Y9vKng_Z&9?=i{Kq-47{9W?B#S;{j$l9+>xwwY=zgGACp zl9wo&Q&@6t>h@vArEeM;xE)cvPu>Ynq%ULLkY$=$j#-GaaB`$4O za!#4yH6vC&=QAuv4&53!8{6Q9-81}dw_LeD5^^CA5jtkE57{W_PakP?#Z)cDer*8I zQ(-(WKI$d0aB_oRmESy+J)%Q-*Y%!LcxXcbIdO7s4MJl?e8B5R-{DQL z1`8K!184Kzi*ckV3J$+rmiG(jCyMzq?`J-dvf9VPlD3P_8jHzv^h)KNx~7fBJz-U* z!Ux?h3U=8iGO<8s*f3F%!v zop)h``nS6{5gVV+={sKB-P$nt_~J7u&XL}8BdL%=}@_TXU-r283rF&<`iyTLrFSOuD`@g#* z+rTB;@n`Zb;a878b#NoFp)1+FsPyz3kx6(?2UycOpV-S6wtm(X+iuaCt)tZM{$}m= z2^;xhx&k$=?J&B{uT5}EJqgbfj7Pvg-0PpgIQa9BS8_IB1`MJwN_P3-+HW{cnyX${ zU`HJuklI)0g$|lZMhY4(sCD9kX!321oFyn-Y5@Iv?hv_z(yLZcaC%ns9v`7TOAo^wQNfgTGUK>rG4T}$b;x|YA!7f@XbsLfp^B{c)hn3MjJ zg3jgQTc0@7@xSj%@#X=40yza>)a$Yd^d=P5mA5iA^_(59*SOH?^@!up&y5;1D%C8j#Nd79l zN`JOA4E_1xVye!-4hYCm0-0v7$^m594sOs@GQKw4pu7`oc910ra=;V}D?6}ki)&}+s@~7H<1rN|#|k1t`rio+u&8T#yG(8M zDye2bPcDI{0=PC5h06@xi}JQV(9;-A#eDq$$6YBR)HUfd7Nb9_cJ?APhSdQX8CcBIh8$STq(^|AG&NECKjh7J z6xu4&J_RRtKahSfFnc;!pNHXu;W^S6K|C&ZT>hYI2%dGfqHI&k&j!fSSEC=Dq>3G} z@jfOdM$O-lEjcGxE-R}b(f)%-Q~0P+UOmOIN#RrJKl-0$ZuM*SueUs;vl?_e7oKdi zOTw3`M5Ze&BAs~noymjCvLo$&d#I(E^q^L_t`ZRk``WnEN@Pb)MCMn6$F_*$%pWOn zys196)MIyXH#?~^Hma@JE3FP8j3?!;+)gl2auh=!3pR~LB4;o>M(|{NLTQ0VSn}jd zGn_t%hQB1n`($??;d?c9;?y7XcM^vNR%)8wbn+3#A0}@9L1houzq1_0ZpvZ2Eorjd zle6$83Av`i%U)I4I@G4!8f{$B=qIl!QQH^zCva)2jt>`ITn219OWdaI4ZQG3WpkJg zUIxPD1gazgfn&2gN7>+9V2dZqV(~)1l@$%~H>r@zVtNgSK6|Us!XrlWSvm2~ZsNN0 z6nDei8@ivYC%%hDp6@2p(&mW%94JkNiRLHC_3vcUTb4s%ybUT4di;4)B|) zu6ar`q#x6{Vq%1d8ukK_fNr@Jb7^1N zBN_a;{_j@J`DL^bZo?=;DI|mFd1A7r&dN-wUG|dOBUraaaIF_N9&h>R4)dqAH%Rzv zOD2DwKm9Hv5<30vL-u=lP1MBzmWOXxdQ7-!BYoWE*xq8J3s4W?JxYH2?R%2BR5zn= zt2AnUvA12ikLg}g%S%$f&kR-}%l-%!i!l>XREYa?If#;j7wJ z{@J6i-e$_aduIA<1>c#jmvrO3c;4Fva?+2C+=UIeg>C`LJ1;VlT~h*r4@b`{)d%0s z@0lr6HIa}@1)L#+{9(=*HqS3O7??ode)->974!sQ3vf0zy4E@)$M*j?d+&f6-~WFc ziAbTM$Oy%04=E~?*{M#GNTSoyJ~^GHA{uB|84aP(AWbtxnVrsRswg80WtK8u{H}Y| zeS3d&pYQLF-tX5x9_PBA_w#!0K{W&2Gf0>(Gdfp;JOzOQd4T2;yeL$sa@hH3>i*(| z4w}$FAq*xyt!u8XEYPg!a%rqL=Ta@zA4Q8RzMj{zf3vNrL#dR@ZhOZ@SL zy5?A=HI(~>ry9tfpCA1e^oMC>Y+PqM!Q-6!R1=n4*ZI!qY2THmS<~(-eP5lYFcmg7 z@|jwBhJek6pK<_mhX=k|z?_5Le7wYrP;x~EE7GA_8+9;qD@p;(+`92Y?zdu5fnw33 zs9Vph%UNl&%2Gc#uIjg=PF!EEyU<6&JZ4dgjr){oGBmG)&5g06-s{KxIp{Q6vn}<> z^mU2H59cap!yQ+bZ8R2Jf_oeoR-eQ7AXMI(V|BN`b^C0|?*RjN;@>l;8kH^&uijls z4geDZpF!pT3!mV(?18J+GftfzoxQN{%(_j>j@pcZR_Rr;wy4CM9@}(!>ru&Uj$PFc z*yp=aQ!yHv9mO2>-tbfKBCOlwSn$#JJ&O8yiO2twy5XRveBaL+d@TFaR(gk{YNRx z{Jp56aEY>xbWJ0ibk!HQ3y|W#E31%N$^5@Jm*9*4~E(}c{s~=-FFSjH}5WJP~ z=7F2}jTZ}VoYlMeSY6i6am~;2U6GrcBTMy9`RTk&O3Yi{_us;IL3a#(ZC;zE>c}0q zlGflKl*anwdxc}46MyiBU99%r(CB-r;h*kw3+Q*8ZJk!<*&Q`_W7EuP{9QXv^GL1Q zz7yl`T@>vQm9}ktT{7qSvE&O^3=3ydy3g4-_OFggHY*+A{`m6He7CIAnmUJxk<)gX zyiCsEZITVG2=}<7c-E;<%Sm(oe7~ThbKbW!Zr9!YmThQs?z-P+uBY41ifiw~_1P&M z&PI28)LSg|yiV^`m)M(2fvck^2Ec?=R5Sv~koa)2Z6iv3P3Q+3_yDtE3!v8aZsxUimsPIn_1y>XCvI9f=$6hx*N* z@`ly=M7yx=;ZgPFG8W1+#`FdjSILJh@BP&p=Nvmz@3WTZg$Fmgrv1sUIrHgROla|d zo@lomzxznba!;^L&&bpGsvwT1+kL#){Z2&crYjSxr&qnY&-FN+a;!|GIfT-z&*A#= zuD`3VwUd_IKB{!g!Ow4;J&)!+BeYENQt7X#MHYArnzZCRh zgFviQ#n!hdojU2}h}y}~S2@g*=1w;oN}O%`hazciO?vUqdvy_3_E82>T4PS#at`@3 z$?2oz@dQ7gk>=gGZqyQ8V}~ck>1Osi<0W{jDi=?dXesHrxldPr$29J*zMLfk8x`}N zp4~R*8WgRzi@GGQ-y&&{?Djx(q&C}lrglN{&CfqPTpG?9ANRAX-Dtc2o>bbDE)S27 z;RlowD)W>lM1Gk*b)$IC#|IZG@6V5keAHX?PFi#B0hhX2{w!_}qK8{l=DK zAJ00q%!zvwHmSrm$b&C_dP!zUpzS<4%V$SY^yOD|6<4Qoi49_NYH~3Y8OYKv$@~b#kXyj+@if0KElg?yQuEKf`WS zzH#f%gV`?<{ww=$sb6p9UDl16x8C=BIyiHC``Rjv9R(uquLn%DG@O|8Xr(o)Kfs+X z2v^%TW|aEvpYu}e=S3a$ICRjt;u<#FgT1sc()q zaXUE5R(>@9r2DM2&tTu}d970_5#ntNqZhWesXM!^w$Zs1pmXuut8pI_e!Vkl-r16K zd)a7@iTTToX9hFrms@w~u+JqYzfYffv&K*)$7Vvpz6&$YNtCa0nqGgqW727>yrbuT z$9l_bT)o%MYlA3_eaUY{Oj=n|wfUQceaxltrw>?qZ7VXLte39sxGX}h{IaP?&#ZoJ zpPn_ohf1f}>s|Q%!@tF7LrzDWvfR17ogEpuBNw?yy}4OXJ*h%$`_3tfhes5xzdb)e zCFz+<%h_g~2Y>$CpqXNGtNnN8{TS*>i&(+7+~`eSx(x$*M@2o7#`R^KXio7zXtkZ^ zB);VB_|jk3t~v%eZ9b)R@vF{;mT}t_ht=g2|G3ihHgHCZOO&;hR>Y^m087;oK3f-B zYv(UoJo$n|?DD}E@?dfdE;<}#Z1$zs9EYjHR@(Bwn zl-3%1_vCFfPcrlOTITv6|@>t>#}I`9<`$&+G1CXYG0H?QgvM)2oD7 z=P`$!ZjZk6)p5q{X)EG#Wk!zF3Qpn3pWdv&_nppPUvyF7z>W5;3Mu8w7Y}Ux*-;tW zc7$8C$R=yL#GW2U#W%Nf0vr<#-n+WfdV}xOgA3*xR1|l=d&6J(`})pBdP@vtRm>9` zmEM$JsiamImi14WP!j$yV)@!#Z_*Nb%IFC@;@{0Zteo;;#M;sO&vkf?DPW74(Wa{T zrU`bPT_Tx2v&Pe(*`9ZT-{QB#w5Oi!vo6L;|68hb)$+i(5h0UVtkUa}0UIYsp4uW3 z{?dEJ?vqvtqg=90mRyXz-utmnStb3nVAJyFE%ilmvX%4u-gmq*Ex7RId#8O_qS>X)sjqd`C$OR(v*W@9qufX8z4`UYXy&XBKWwEAhu-kt zIPXA*nY9<^!3bGJ!wY$=J1x&XC7x7$B)4Xo>NVHLDks*BpjnNa!k&}XEjE+!!ZTO( z`sbf^MXAR$HYkS5-BjFmUg=@}p#ko`pYm>N&&9PD)PE0mDts1OWlX#A(LJ~E#OTY5 za&BjaK3bC#ZX+Q%)q3iT)b$pd6gs!H&XJnHT4(x`GHSoYSM`lIr8vi5-n*4)o08~! z?mYXlWmB5o3CEG8H*BZx{x2f+cst{OcZ84HfZx)AxYGKW7s}kVJ|5rmG&Jyvpk`)H zwVTYGBOZ~jG_nTH(i{vVJeA9;g6^l(oo{*c324L6s|RL8-h39OpXjW((8j&sM3sKs zljkYr1KwYkij9tUt=~7IxFhA*3hr2-mu!1 z)DczU=PSds5mRI&Sa+ri-kRuSx^&2ytuLtCL`jY8)VO*xbWH236}=CnQdH|&Hz}W_ zjIEXq@#|bXU5Yc^#KvU5^356R^+;!bek!8SfSBrF zvB1Od;e<2xSv6tPZu?3ZM})03eI2-IznkpTc?R{)={DbYMX;RTz1pyxdVSlHS3WUY zeGS~+>(@2C+<$Mjr%G4!*fMs(H&NwN^rNZ^)Z7}*tZbgObfKwS{ijQE<1!X(db{T4 z9f|wSIUjj$UdH$5Y3b!@w|bAgzuopWr!Hh;_Wn(BU7;IxWG$Gn@yVUjuRRw@z53a; z%6Y@fxhV#VwmwhNt;ye6HQ9D~yH>(ej;D5H>%i)mZ!Ojf{NnfLwv~yj4ACpJzQ3T* z=Y&4P{rGX`5wz8Y-7A&$2H704&;0)7_k_LPz8z(=w9V+7-QC4hMs45n!7eo0Ds1+s zH<_x6l&;7CT_30I`g(EM-#%}CciOa|v_YZkGoI9{4YR=^DiO1+?rcTvb zGf(@9S%>*H1E#Idy?RIxXFYQ4$URb{#>d`kQ8?Yt;O?hRj(L(h`{a0~oI3WKZC!ub ztaW+EgSRH|le_5E&t@9FYuT!Q%ucWLWV+0`&Ud#|6F*R{txU|?Bv!LG;mqw-{*}=T z#c^3bT-$x$OP;G-EdONtiuO$h3XZNAVYfZ0LP4+Z&t9#0K8Gi%e$GkV^>`qoch{fu zA7^Jg*VYgQYLe6Cwub)?@i`CQH2WhF+Qr&0?wCUW9T6zbOQ zq~~rhG+RwObgKJs6!V#dgWWPik@ySacG(B2d37p{lU#UzKr8a5w2zV6+=H9q-b}k) zerfFbjl44+wGAu*-85eT|c2l z{o$JlVb2V}6ManpiPaHL>h%aE_sn2-pHTVB!ODJT|M&ALxx0^?BZL`*Pqc9~HB~O5 z(K)Mz-V5aCKu8|K8p^l2Rs$4ev|4xKGV6WhB!^u)T%j%KhEPQVn(W2@eI@tbVE}w_ zrYgu7*5ucV)TM@beRp0HzH?fNB~4irob(r`3Ybm;VV!%EuTEq~-GifYs_G||bO5zh4(qGK zXAQ%rmo8eM!Ki)xzuyRX)*;SZbN~rFyy$lQW~U@E>C7Ty-S9rfGHz|R*ZlPM?6`va zQ6bW&rl^k-arqr{w0z>>eb#GaXnT+MX-@g}qtTmA z!Rj-9Jh=PT?l|Az`zT1pxZRTTr-N%1l3tD2hXUGAkofU{-qSMjt3e$A3>VO9O&sNE zr2?kd4^HxIbjch?-T?rSnc;ztxLTQ`53h5Nl>zx#ARzz%yj<~_L@RTS1vYr?uHH*U zav=c4`hnQ>r-$HUUji^aUCj!mjU6jv4tcB}K94Uwj1c`2Q1dOY=-0ty?Y-pZf%*{` zFwEbRkzp)z+-zhizt?xjC)UCj^mX&66Y|FbDtjn}>~}Hp3Hb$~SS83q427{=K?VYw zQ*`ybdWvwejxki|4FI4*^5$r3&>1>dQ_|KbBjyB`lpHy+X%sZ8xr${nxkU_q!fzK!rnX*BGE(yuRXA(!khhZ35Y1?E8N2vp5zps^^yT&iJVUw!|f z7|>#*keK+Zt??wc+*fNNd`y`ex&;()M1x_EiTuJ)03Xo99F?mxI@YR_zX3>tG5oy< z`dGl>V(NIO)}775-g78Y3QmEgA({lAoGpptlIEd>AX?E=0E;3gb^`ztS}0nq$pZh6bCC zl8YFaBFrJSi?n}I@{b#+wyemnO%WE>T zZ*76+e@iRE==r^KJJ&UU-%?Htco^}6z2mgX~ygoh8b)Lk50 zO-^6_lsrFnL++|)AJ6aRQI<>S*GexM@pDzkK@U!HK!%%g-s?uCF^89z&;M~sly?7O z)w_Kgm8df+&Bxvgbhy8F#Ms9n_a{ZRgdY7=u=)G5^WQxTYbs{xT=6utI8t5^Vp|d4 z7#)6P^`x2%fsx;p5%#WfE!oLt<)=!ipQD0k((;;N#oPG0X$g-wAE%Fea?~(iev#|? z(#){QwkynRuiFRQX7H2=x83+|K)QnA%HX(&U0zgVYUPG5EM!0Z;IqT9E{mv42`JS;f< z?c9EmQ{QS+=UH!5FAuzBSeIZQokgkbp%l=yFOH4!_R(7FbjS@?{ZxKu^&8N?MUnWDf|Jmjz+m1;(=d`eeUmRjA=St z?NH5Yn!~%>+N%4>^FXj3i z3`On@I6c2IbE;t0)%;aEZl@e~y`*>2qP@;@{i)+mU(Irniz)Fi4CmRN9T7r*|Lv>1 z)$VP6%%I15S+Og3Tv!&mUb|)P3C>ra;{U`Owk+SHGfy*a-KWedb-Gn5gULc{kO(}wJfxw$_sBfLMy5`nDuCq<10(9Wf35+ZD3*x zURKmt2nMG={+bvOKn?`!hCsRxUI%JgaxGD#ruff^-Q>CfmN=jrpNOKY!NXt-KGRBs zlsE+Ye{f(BC3cz+bE9C96^tMFpvige!ZlYnQ?3?(S;_F1D(L%2hX&6;D(2r`3UVa^ za73Y)qPgO?->INP6IU^~D;hgZzKFoT7d?06 ze^8C<@L7IHeFP9XW+|qiTh>L5qGCQc@8fQM&MoqJAJD{!05ClZOasHS8O0PBt9-#A zqd9qROe3E-0r5uwo#};RGm5EN4K^sPuDQpWoIjAu;a92w3~Z&^?1IIiaAF#OVS9wx;UtLecO zHmyP)vT1Rl9AuM1(>MPuI3QUV;NcaH@5ZN?a`Mg8(WsL%Z7+*l7Q&|*GQPn03{_L~ zBPi)Sct!qTU;vybq*P-?^Fw1QUZ2oU7|MXZ5%9QB6TB#Os}OZ!uyg=D^7fBPGa1 z4CLd3ldu@unDhWo0)+vTm8O|mbuLQesx5|($$fm7H6cJEiNF8@ltMDoPc0&6O#~(^ z(2H=pTs1xyWl(3j^m%d^SSb*;CsL{hcP3u5@;pP%$Y4?w7x1jy8X6-Is% zn2!NW5EDPy0XhvR!3Q%0banOgnxm1~rJtUh>V;-L4?l?jW@r3ZPymLqbMo`8;^gd% z0N}d$DTC8#r->B_v2+lju0KwK00b;-P%J(RYIqm{Rnh-jlA#c|f;#}gL0P3@)kPI@ z2>4Zkz=JzM8dh@!=7YPC3`c*|74lVjg@@xUvg-T`Sb$oz^`?;1E&>SG!RAB2A`uEL z!TY%`ui6)3>oFxo!-_Vl0j#UCp8h}(S083wHo{Cc8ZpI3g7JdV;dT=)u*;| zi+1V`(VKnVQaThhu`8b*c>JvBu6TNJiSLLtsjL0I-OU=iQBb);Lyh&Oef*KT&OsNt zlg4_uhpj!C5HIUHwS|}RP9Sk)Od)k!-3o^dk9LJcy1G3tpBj_e{GqmVtmqMXLT~k+ zMGj%Bsh{R;GN*0R$VuKd_vVPtJB%;R=T6L*E}Pe-{Gnr4{w3f0>NhXPFa74(urKw~ z#xqU>NluoOv}6m@Vv7{>yKl!?Tz}VzxI!=GJ_h}QKN4I39 zu6l(i@jAkD-X(vzt6`ORRh=oF{^eQK>9H@R>dNEmH<+AMEEl1<8Fq zR2CYPGiT? zGc2oKd#`au5v-SyKd=AV9p|-g*X3rqMD=SE$#R~P^R=-_hksu=J2B_oc`@&kIkrDr z1Qq@wb}f7LE!S#yv#2lo`7bS{SJq#5TEpKya;blw&qAi!{<4zyMM=spy(d@9n){?b z{O+sKwk#R351-g2jEQ2DIiEwn?5^Ir^JrnZ+?OWmxrv_+dfbt#+eWP$In(h&_@p#1 zojB!t-Mc$LCbHz=;t`@IV*;bsh1kpSxg$mF8?tUGy8Ekp<6)@`t?}r&^OmpJ|Z8#nV(2+KfPz(ieuj_|J&@ zD`rfz{mVnuOH@)X?>#>tzDQ|#%(7!?6`DEWeX}I=+4FA{JN?%;^|+*=r0s{Z@zXz@ zP0Kz#Y4^I+WB+;1I(Awtt;MI=u%LB*V)z;(#@pjB>u5G*3pKdLlXNZmw^eS=J=hiM zm$plBi-yVZ@>_3;`ko0A9v{x0pn7B9ww^-Mz!%dOs@;F_n$vxtGr_<8;^*LVA4}$} zU;C9k>SEa}X0&C_%;yQK z$ms*~B7?BR17Hm9@QAv>sVBEMVRg;$^#aSM@ti1NgWZ0p{d=wc+Fo*Xja-OHAhl)< znz+-tlCX{ZLI^}4uJMCXt%KH<%5XTDEao92(;5Bt z99L!Esx8x3DQIfzPsuueeRQ^t1lQDJj1A0bp|2mmfZQU+uq*-l^h{_2q?aq+W}%pY zd~}Tk78mmxIpa6EPY-`vCOs6_x9hr2kx#dB7 zI{#dOS?bKmVWK!D1Ic1i3;|7w=dBBxRZg z8)O1eSunRZXCb-RMbCr}NB|`C={Q6^ndV+TTbKN^LkYY8Yqvc>BCfU9=^V9yJYff`Cnh7noyo$hO#}>E zh!zua*`7T3fS!y6+RTWW6M#|SPl%G=s9{Me`Nuu?xyzhR>$>gnRM>b6G*pQMU7d&qc;mMAv>7bzTDv%eE9~iZt9vUE&Ovfk7TE zvTVMf>}S>jaJb>iz##nXc$H;=jlmciq6h_V%kQ%wU(fugWSP#Ae`l*Mx&WwP5)7Q z_12Mxf*?r;UiY0HF9I67nZlS*prJ|$bg36z@S(h8=BF$%4|(E{4e?8h!CqaVGe+R@Gl+0 z!8F_3$Wu?rIRH72t5*OaunE>>shMK#*Oiy+#*-WL5KA-hnt0Vv>^GTlMLJAu%^IaM*^v9a0I>vgR>g)?uM z?wkbAUL^w%^n2|r%B?4V7|8eX^#WV^2;YkbtPgYSQpNi=i<5sZgm;KHLa#Hh zI!KV!NSh{P%%X7b8YMSNpf=f{3qxAQxZYW)di@PNCJX zEe3n4*D>sw@(2HF8AOJ%V2Uh@q<|-RLXRQzx0N1}ksZo0lqP$dYgGe## zv#1rQUxnBiy3N1eEBw8|=50Jp1_krslo`SrQ$tr#=fHgft87}r!P?}}hgKP$^IK6~ zK@aHPTJL4;`@;HKaD&KUZvj6_hN~wbsaIpgH^oXEbmOlHQQ`n=Ot5$u{}=&^Mwbisk_DBm z`Y5`WsS_w2l)TVfg+8h?k9uEpKReHQ8BFh!rm3SBfK%!Xds5^l+}wxg1wOqM6$@Nc zxlLG1&d-v__}rwLJ^>rPf={jT=KUL8`5}ksQ^zN z8ejs2uLmpRxkg&YfE%AR4c$*;UU{;9mDaHnkk74ZECZ7-Qg6ajSu;hb}92kt} zdle0=Z;6%4Z4~mzL$MI|L+1V~=S*1L;B~yd>PhnVeXmF9m4unP_4`e*l?q}N6#lx+ z4*D}{m(k?A?iNOgrtKSx<#sf>8>c8+YP~lWBp&fo=>W%3l=We^4Y1;bDq`@uD zcH7hY-@~&<6l5xxZl@lvbX~BXmr!~(Z7${az0UeA6|^@g8-q*qw#^V76m?811Sp}U0%KmPxa(e{V^dF&!p3ei(U{LA^C^YbIX$c=c1g}6;uoCup zC;AJ>#WwtM!-9Omh8WP5azTw(poTuXOWxLF$X_mW%Rs!JVTpxAh@ zqYc1dPS#~_&Bf%b1Cb7bAUL1^L>+TL>vF8s$VrF5_z*^0QY^U|gQG2FYOO|*!yp&J z_eB5@Dm=xrUZfP3Xl}bk!%^emV|~!e45a%KLQR(3!OqmkV;hBt?;u~wFVNMO5Pr1e zs$24vY3K_r^k&JEe<{e445a%71`#TC0Fnj|E7p1cg0D|*Ng_c0Zoyvo0vAiJxiW`~ z#uu+@G_{ZeO@vPb1GzGo46ue5Z>=DJU;$5!fHr8#Updl6hiamR&v7HH;Lq^DTd9^@ zjui(Li-unR%_nCCNGJr-@hZs@+rE2nNcjU2GY8xlZ9AQiU1Jkie z&601y1Hm;UvVlaxGgfxohve$;&5%$KAkfvD;ptCU0S``ABdAs#obspgn8zg#0>F|5 z$bOuY3IslSz4;me%;k&)rHVc$H(jTFkd&QZHG4+)cf<-KV?QrEU3nk4fYq@62K-Xo=}bZ($&#jKhJ})3Do^hr z=Wh6`xzh<>jfRDdgR7ssAlFLBNnAlCHJ*EDz}`bG?uRq(2$8vhEi88c<3+ST0Z@$^ zW`SOp?tMaTVIh}tCs;)^9%>Tl`tK8>#sj&OFJTHT#gYd~15m5ssoqr^a`M8qr#on1 z!jpzKI1r&?p0+Z1Fan_rGZ+jsAm~SR6)@5O)T(pYRst^6RNWMvfV=_QFQfKB)#^|k z+rI@QtaAT?M2U1zCvXb6%0+G$OvqeVs+(hpi$f!OHj&>BIR)OKw8SPMCw!f~o%|FC z0B(3R#qtswyj<0@cYquKVV6+6=WclkYqPkgv1cv$8-UN?LHNq5sPsHhp&?0r23Q{9 zEB7t`cf%~&x})WEXw&GyNKaKftP*d@i+zFoP4ayg`2D36KA}Mf-j)bz2i~@EXMoiH z;f*H`A59rM)vd8!wHl;FIhvz-+|{gTRP}0h;po8LUXBS;GO~TiX(l9YorYyMSYdh6 z{kJi_2pK#+Xj0S!>uFJ!K;ys-M{Y8Un#UifeWzZ%dDs zd{dOL(YJbLky|Oqg%|{}z^}H#Qpc3yF#*C}h(Y)`)tVrBj^AXjc_&5`vIK_jl!S$! zCnF$$SQ){u*2FcpT)TF`lUyypGToCAWYzXNP+)3;hS_3KC%k7uf^|7pfveM zhSi=Afob^Y_u0}}SxBz-V6ysn;ltH@J~kF~(Ep4^A2jFlEXbn|@ZrD!9lUA42c{k> zZlVIF?jaY)@ZkvJ0lnLc{-CwwOaq_64>aQA*^Z`$l`S}UPnIM<0|G+WN>AbQKtLDC zJ+ytiCq!Wyd=Ub(fMyOgl{%3+_V=MdQO9>rgW9;kYKGj!v$-lf&S-OOY-Ja)ETG3G z>QV9-N+UuK?%xJ7%$@$O__}Pqxg}c1QqyyRM$Vn^iSYqDK4#Yq#oMy?F zX$i>-(L&s9^WC>m!1;zxn7~Sn;p$3oG5A)NgKZ$Y$5e@uD>W2`SbNO3;t$pxcWu|b zK@I~eHipMvYhfsSD^=WH81Lz8XOk;731*z|n@|1*U<;Vx8}xVE0AHZ2j%ymYFYPBmZUG~g zA_|7VAz>97O+w5IKp_aSQ-Ey`bD4Zpi=4k<>B}G>6r$3%VXJrtxdwm%2vb)yFoX5s zJns;40Qk!U5IgcTOrefEP*Py7rcno#6!euWH1F*TjHk~%Pt9Ac6}-Bb>S8H*bSx|k zjwn%Is)2_#yzhkk4zYSmW2kt`!SYrxIS0TL4`ARWDZoITg}N1c63Hnp0mc0Spc+^g zcNUAN88kqNrUlhZU3o}DBz$?Q3k4I0FH(WU6rQ&=P{!W%Q!}1iL%<)AkY3TivMaCl z8&{EkMELjd!3|Imf{Z%F3-;a6x<^D#!cMQ>BDHDI9(kw)|KCy^#vY=$I?o1bJrc40 z)vxu`YkZYb(PX&?FMSMdZFzD!j=tmimw;~D2Wm2rwC!d6iaV91Ha!|^uVH<}P_Q8K``@Q0lRq^CB#e+f(#RV$ zSc_=trQ{&6>>08(NVsrDQnuU2@{@Gd`FOkYhus7k zcYZ{;EV-Vyp?;O^G1kMClh&#@>Tij=XWRD2$h6dB<=0+I^JeDqC1U#O+h%2(XLy|I zymDq{WU=eR<|BzOU!TwaF!xct0#ZTili z+VUC}r%4j}=jVXj#|f~5@ZVA${yag%N@c$bDc zrJ8Mlg}j`WdZm)TbC`7@C<4;~AdKteYgcQKvo8F?0nA@^2EYMj;%NLVdOQ3wr70`p zp$w?purCv~ID(jX9|mM*P#;FR*Ivj%`oJJ2sD>oo&CE(2D{u4cequ{5br2eb2N5C$ z8kbafSkPdzQT7aS8o`eWH=3QIflcp1d@8UT8g5X_YLr2JZFBBtdvaeJK3)i&MM$Y> zSgBF5l-fq4?ziN}gVXgPULGu024NUBMMGerO66+~W`8742c05M*Tak+0+y%YwW2@` zV{~`z;6idnhe?J{kraTyKa`lQPYgSTbu(t_#wS9-*x@VcVJJK!6oAUO!PZiw|Ih<8 z3u3LMSunG5KKJh@H`U-T5a#CZPQbTdn_ohGijfANgebd(pLG~i#zbfhEZ~CrB`OV- z5H>ZsN64Qw{2sx84R=30{R_Zw4IY$v<8wfHI~X*{RjrF2he#g(q_~&RI_cqaZ!i_{ z1qB6A9S&$f-Oq-nQlRtaWS7@OL!Scz{I@KG>>U=Nm5GWqGX2=iY9lwlA-c2Zpk)jn z%A<1COnE5X7ctj3l5;*JYe2gVKE6mDjQReWB`-uDJ8}|+3mqRbp>nOvu;TqEva5HI zp9FycB5TO*cLi+-Kw_c3*2(6^o#ZgkQwA0;-46^1DTLYa-o?KG7?;{>dPD41_T~kWk%0<NsHk;TXu!`Te+BSA z$EOFVXl~$xc++(u|2e+*iw!ITtiNRD3iqzvd2JS;lLX$kU@YUhbBm?N7L^o-lZUsC zaDkN4STX-~Rrj>OXE!7N^n`JrY;4?T-^@R;LVkKrP^&};b+b)rYJ&xki(|{%$v-{J zLl6+b{e^&(vADA1W&0{}Ao$~Z(eWRjZGq+OYiKD#EX{_`;^pe&P8dzhw%}W;E2I3( ztq2t-KMSlDKye`8rhTzEIX@%k@$jJgCBI#V90Y!2 zLs?f4LL48ZH9@5Idk?+5L64K$GSy@Kr!OU}t(ucekIeR|36huj?R;gw@nc4dZ?Cca z-a88#)ns;OSs!rdkuY$wDPI?t@StiU^mZ1%%KW|-yqoA@-wyn7z5VE+czw;Tq2=eI z^)7$LM*EO|Tv$ta6EH5I0F_54IFmm?m=1U?hbg&^Rn9WxvIf3}&)?VJ4_#wZYlWQ|SR7TwF%Ln8J@of)n;8bdN2}P-!WltRbS*L!?)CZO#-6z>XvY>v zQ;uu^t|dD3rG0MU^92BV<*@iL-}%uAg+Xi@7b^_9V{vV-kbF0k?_9(OQ?o$Lfpzn& z2ZoD|>nTp1pnhs=XK8q86x%mp;Qg!ZzedqY=cH!Lmd=aoDKU1x@x0{AVo%=}V^U8| zz4$!w_l56s6sLLQb{W?!IWOK789Q)Eq;TCxd8F>NadO^WXl6^ru=j%LHe{U7tTvIX zR1jNbbMrmD+%EdwA(dRw~&c3LPby}3TPIyW@ z+AyO43c$`3f<86|4Xlpp?vopw=`&L7Exr49Yy;Fos+KAcO|) zATDmf)}&%x+?!QBkC2}R0Rj7d2q1%9xCgd=5W-`ERS_d(=pBJCu8EBrlCP^2a!n75 z5yoHsk$?`;ld3rEsT5;1 zZXM02qS$qFMXN>5n#Z2U8*VLbo}(n^AJm!ePs@C7y>v=-?%tBpxEZwv8z$skaA$)h z^UOYPcbQl6$7juv-1^Ge@z2tGRZ0UDB`qKC!=v>M+paPN#@+}%Isbv-L-=&PvY7=H zZEisJBXs?azXs(Zhp+mBxe%ITM96Ogu%X1Jm&B(=axR2IK`b!K$p3F7E|)V{MH4U( zXGR_hg0&Zu9!zjwl+D!4F%M>Ahv!vt9)R+<;6wlhwDkD<|1TO96vT1{L0!fcc#-FC zp)3;uN^Dt&k4GJRFK^Z?b|KF)LAyc+!N9f|XsiceA`FJg=cBjW@?fP23UA9@j+l^71V8tGcS85q$x8L9a86^@8}Uwt-I~_ zOpY_Azj&KuXV1`i`!LV{L#4l4{8X>W=jT-D9^;JhxvRob&(diV%a}7yag5*28rSwW zI`5)S1Z93xn=m=KX30*tq;Kx0Y#kdwj}yZ_8(1g=xe#6r4Rb__o<`b|3k8@OLHJ0B zG8VbZuq#v~rw05@g8T`lwle5bKwXdrR|GWjZ-RgX66$P})%jSVjg928Vsa2zz7f9b zOBahgt~pSNBHGEe=4Q4DEOQ;HzRF*}j1&ylUo%=Xj;k)vRI!ZZAo14`l@eJRfZ$7q zB|1#8V7wq!#%6ZTmc4hJoMP}f@s;Dsps;Hw46eU$EWC|%uwo&5p`Ai^y>y^mRbnGF zZT7&)dPS|5->=d%uNLmrx^~s**%DE1gu#{ft@T$F=DYg4`@48pdLN$EDD|LzZqa#c zSBkUzv_6%pBd}HQ_Sfgo0C3CfVQ&f_6d!5M1CeH&ga7KpxvnS&uu*nWCYbJbY}{l4 z&#Gqh!d``r@2j0J$hmByPTPl2Rx#602^t{bO!|94Lu%6fNFDQ@g4pWx=HKQ&t$gpy zPaHEtm!DEtsOlE-WLd@zs-2d#Hbiy^@n1QKL<;F3qo2$ZBN*oH@5u$mQ z)tUa}O?%Ukx9;a11rx^HWZI8?FE;=Eq1c%z>!hY0ON-w7W~*tiOPbSHy@Jq^fe&%x z)wYI+O0wMJcq6Bm|H|yF&vj_&KX5qjH0`~5ZTK07oZYnzxy|!0-f?-9J*%;z*S+Q{BnQ*YJ=*ScMoPL(=_GEC-%CcdSY&vlrQ@*;0@w&$UZXEvGU>7*U0 zajCJa(HD8DAp4f;-=pa>v&;3G%@o!bnyK5L89AFerQTv6Z5{A=2dWgs7FFEX4z13kW=zbY|sRT#6)b_!7_3cZRT7yPTBVG-^}J2os5?o|Zg zgHbf7+!3TT057R%PqUb^G8c^1+;U;oDtC=_UIzPyh5!ckDj;0lINP=piYD2SbJ>t5 z>VCjMGDcz2s?LxDI{VwGQ+Kzpq>YmTf9y}<{^-9jzRdP+Sz8>HBb_F9KyUuKyNSnl zU)B3@=iIxLagT%Mij_rHaI*f(i}`Fjv+04dW=T_m`tQ|glQa)A6XJPK972*NpUOHP z_B&DLkm`PK#`YqEuuD?Q%gPhem`i?)lV2g`d3&z?n}>m`cNtG#+3j&{M9mo1#PHK) zOXWn`m%%|>*PV^p>EJ$_z-RooO9~knL12FuVO|W6W5LHJ#(WLbT0m}KK!IBT19Fdn z#8x^UM-A-F;tw{{Jvg75K%TUKdBPv>F7Y^Mgz@7ugU94N0Rs@?FFY*zBHz{YNk{-f zBuO3H?^8XYUxge15`nl$^t7W+N6u=MZD57uuI)v>HF`zK4VtDUX$vA3 z+h2@bb?a(xkI%l}KjRw~2Yk7|ee*ACIhXx2+UL$Ot(JOq;Ag-ar7KoaDtj|eXqio; zp6=`_-yXVORCDi^q-vUGldSUPUjbswWL?uyR8cAIBSuo1ifBCDi%OR-$( zP>j=_qco-xJKeN*yuEgDjotC?)haT1*7wc-dq|g-zS-8+PhBS|(fedh)5N@6zkc^! zTIoEYa)Mgr!A!|G?U5HVCHHUFJ!$O{w@32*ii36;)92Mc{$jcLxv$B}k>gn__f3BH z#%)@rx#vFXJ++Rj7?WKL{2%BaiZYzEQ@UQtf>YuFXPO=?$BzA^ezVXa5 zb4S~xkRbCPx769It0?kQ&RU%vcroC&RO3PtYl+5md0MuSV}Zs4>JO9CuikHPI+UQc zq50*x`Bs9xLf2Q<>VllOJ_a9>%OoSX@tukuJd=ZOmQDV7xH>;^WXf*QZ`zGcbc;&w z+#cqO(e2Z`$`;6WXKjA7-DE@T3U}7%<(_p%QPL3?T>0moHxXe*twFMzXUy6)`@ZNY#|_tW`8p0Y*q%aF(S zUu}q6^nIg`lw`ppZO+7B+C?333`93qq~QoCdGQ7|(!XT{%*y!C>?Le24P5(Bp$lps zpzQl#q2%C1s4r)xPwP`a8urvbu4!8cElOBR9Gs*AhT%3j$;Kh%lO<4I7OwPuQ7!mE5(2zA9mOusJrnVyNXE>iz_Mnegh# ztZ5BZcM_Gut>a8oQfi{*kkv$MoM!BWzACxq#7!Yl=hlH(wpi>7r>|Nj6*lVnF?v<4 z;s3pP)AaSCbK2!|EB*3!xs98C&M%~J>{R>Z>z3RdcSCl+R?D}zjEJe1td;N5vtmkG z%41HzwOdD4ITf3MBODr*5g=P780_FCd_|fS76_T<)-|2nQGm%0#-;zY!ONVd3UBa2 zOx8Mf`&)AIBT!)BrPnrmkjPxUMvZTQ1&Uls9Y>KvO@^<=^t*c%+U)4!&ipG~1u&PE zt1n$txLElLrC9OGK5^KTXKbxCo&snlJuKZI#~i42JUDTP5E1>Hu4V=T?^g0IoZK;o z=6S$Y12pFEZ(tQZ7%r)>bQv3N#L}Q0r78f1?m1^LJ@{JR)G<|?wy}-syi5O zP@2C6AyPpTx&tOrCGiyWQJ}wnp8|efc<-142~A|V{F7QS3lQsvH&de3Vw)JAa?rv@ z)nP#)Yc1G|?oIHSITqZ({M4b>fv3r>HTW%nZRU6bi(@f3t}vvbU5)%Lz-0EqlZj)2 z+GvUIriqf18MzE-#3NvEL8BxJj}KS;YlO;br1l2`!NR_7&YB9Z3H<0auFujwTzSO95pimc8+apHOt8_0&5vB!W=n{ znk5=WzwGrxh$JX-60mrYcoP2LW+!|1neM`#grI$aH-MgG>qTuLTG^1x1QQrl4RZzR z;z}CGRVL(`1pCtI{%-C}!qf;36^xjss+(b>BdYH1iXeAQ;CDSl7j-T?7j?98`4722 z>x!mId5)Vqb}M6}5zj;al6=`s=gt(B5Ko%I>4`G(T5lgKk2wAG_ATFbJ9^Ax`^l-y zgA4tarMESGdJd08Jtv*_i3$Y3@O%E?*UNCjFTtj8tk~EmwwoWNPyTvgsxW+g0z;s6 zz<7oeur)NSz&>C!vMD~1(?w1dzSLxCYAE@c;E&C~^*g&#IGR|q=G)Ga ziR2#}=3K^K9ZDR~;Eu@@r3AM+Avu@0RuzDtV#!s)sbAQWgb}+YIE5C2O%uV(a)dYu z%x*)){H_#LBxNj82ix96lX!a8o^epsrXsl#33B%(tY=lF@dnqkmO04lk<$qJT z103^MaR*z1GMDLmA^+r1&IN${)#z)*We>Ib&gP$)K%R4fK0E*-*6CPrl?Tgorrew! zLw+fU1w(*+O}G=rJC=XqKa+oW58kmdJpdkba&cNbSeH;@(0%o6Jc8gpQN4mktBLH60|U6=YL{5Y}N>(NHJPa?X*{zc^v0>3VI!b$@x9#)CGFGb3N{B=R{ zFa%$?Xoc#jftY<~$^Chl9-fTA5KsI?1l5{jTr^;(==Y-i@XBoHGXG{a_#&Y24JRf9 z7MR8y7oGQ({2~Yhp({ne#Y&0qEe_5nhkyp)hj{sdhs9Y4qu*ymy()TeRo25O znqfH+B3l^U)e~PRo@-&jr(jiw*VnE#B_|ui3t@CHVRuMWHx@%Z45H_7_$rSu@MlKXBDE&C0$}zfNGg zo^3znYC%3#x&2;VR`KJPBR2-MxOaWJ89V-iY}_@?Wsq`NKgnvzM(~`oNuP8$9W;C6 zbX%^O8tC;#Rm}0|g-^)2AJP!vbmq{_TmcAHtn2q6!i=2XUO`jtz)tm z_SGwlXD$q^WNiT&ov&#&w&6Z|8d{+*^K3~FRH)=QEcM|#6IK)E)_}Eyps9_mNz-1~ z5dBFfK68S4#gQ!TkzYm>{RIp4C*K(j+YXg&JHF2c;Lwl!+lYrAPIwTs4jk8Cm8$|R z1IJqNA`j&MA=j8N1eJ=b40}B2{`@Qan?v7x z@wNUof5i7X?t7}3{F@^Xf>;7XgsLn|q_&xtVLVhbKHd9+xTLg}CtM+E?_1ZE#SkIj}aHs*N zmPq=;SSQrA^m{W7N+6O4X8`W4+HxY^E%6=KVQQ^EaZiz)S}@Ve0nlYU%Bt0amWM zb_sHzhRq0PfQFYOEyKxt72`K*VG7q^SBiTWSISCM#0+<*gNGy^wUT|TT5L^m9 z8bEYFpt?PHm{9uN*bLcpgcV+-)vO>lRNzbP2DB+A02RNuvqmFM{HLbgo2n&0qrP}3 zeuzz?l*nGKTq2up6XburNc;ivG%uYNnW+Lk>+l{O{4>$DWpz>bpNXJ1-yef~NqNg- zn}z!X_37Z^*KjbpKkvkeKS3B*_IFf-a4=0pO_@zsa4=;ry6;?cL|_i8e5n);ra7ni zSaSvr=GLztjXi+~OtaM+DRLNyR@R zz9sMP^YZkApT4_Z{M(~B=@^1Nb++pPsK{ja)|>yuZr%HDY+f+J4H6OAG5_z_PZIxq z?qC6S?hDe@b^m{`pG5!b+`)qPsD<%_-dRqLJ@_4Ow8j8h=lm~sWavBk2aj~{LnwVZ zp}$60E(VCPEoCjmExCW4miI{hroV4_@g9WZUM`hVBj-3MmkhnM)_CwT{^ns`LHZ^A zCx}d*Wxd6KJeQ0={Dt4?O7YOJ9;~~7i57?ZPWL$zi zu)a^LYau&p_{tsx4Y1Mwq5=L%(m(#p7mW$^*0n8$PB%Orq|RD$;oA}fRmX!~d3i=Y zI_qNJGsQjRHXwX92n%}pgoh8IrALLLx>`0sb|v{uk&^-DyUkja~*XySvQvUes z|D4DbEpo8OxBic7KDq^DC*Zkwgy)>+n(Y>nXct=dwZ^sJ&G_POkB7Xg^61f|6el?f zd9+eUr2Wku-#s2C_2a(h*DK#+$&UtK6~Zfqo-O`?L3l~}H~q1759wcxxBNfi5kxMA zhjrUdd3?8$91s4gmw~E{CJMq%plo^i_Dn=6I*W{xA?G(3>jwN1@TORC-vdY?>Y)nO z{q6=nITmCjwLn+|p#&kRBI2VfcycSbJ%Jnv$hW_qdLJx0P)X!(nv+b<8IUAu-3_a} zYe2Z+MO$lVY3GA3`6rCvcI>rF^&0;s7naa1TlchFBfQR5mg`SU8-I%^DkQ%pq#eKq z%xSp@-T)+d@ei~$!u5MnlfI$<)wXwKtz5(+x&O_QO0MPM;{ofY73W`HZ;dE@>4AFK zkH4y!lOGR;i3J82UIw*>yY^tW>@2{dT)F^^ zc~y*SVt039cXxL#u)s>~2IXM8&*zfEd^)f^|(qj9>lFnGbZo-E&6v zdA|Gb|Bvs?nVBV|09ZVcixS;P(X2aYPURe z;?E`qb=)*fD0TeidB0N5RLJVpPvRfs!XR>wEbF`CBP;Ub)cAPo?;JMIWd+xz23G2> zSnrFT#~Wj+C_i7jO3D%On*!oD1;=k%7r)75G=LU67g(uhzGXe8ggKlHtduq`B;*ge znZcB|?26wK6~84QeoHv~@vBPgeZyR@1ZttOUB-vG7F?J%iHqx8W(}&UTx8LNTXu_t z!{WE7n$Y#NNcG;kF?Z6Mu-^~c9)E5^lQg$7X+HX$W@@dmGc%axw%zgDqT;uO#cxx| zY4k$p#IFwGsi<99^G?+A%f7K=G}K=ZlrmZOn@s^zq0MufC$|VH)A_p({jILGgQjhYHfVp2a^9 zIqcZbck-XRUO7>c5K(~i971=9tl+-^@u6Yxx2a;g-wHH-E3<3mmobyx1{(X9*)=?y zqt%5if4#D`x}%IoEprudD+k4rpQI8!Gi-N!SX6viSbW%~_`RxZG_M2md@Jn=8gzQ` zUnM3ebAzB2;a&gSGljB;?~V_TiVqKq4_7s~?sZ^KNEVbRHm$+udAQd5bAt7WC-S;=hK6C>H8auB4e6l=k4U_=5rQ2SefyEikQX zx3__AJ@XyBGCu6sTE#1|z24RH&(ex9C1P59#P0Zr^`;4KOguUNKtAu9X{)cc`yTZE z^Oz!1I}E7>$46}VmD<30^>PLFDU@}$XVGiRr>^UmYvmZb?KyJVX%^P~Y3sRk;^f4g zMI62FT)c6(kapFWqRn{Ld|_q`4;{aC<_)mW06BCZ)Z<|HruGi|2Y? zD&5#8ZL+oaRdqG;Xqmm8mBx#hkvwnaj~zJ$Pa zs+7KrOU|scMefMb%`(^)0f!R;XF(;ZQc51@c`ji~N5#rCy;-aCpW8w-Y`_sLqgesJ zjZ0p0?#fQZuuLqq-T%*tp*2nj3`z)CpAZ0aN^(xW-xwNNy2;Oc~cO^_^<-?Z>8Qpd$EK6hnhnZ`b8t9YBHP2T_K zM#e^Y8nNtI&_5=rh1=gv-riEF$LtmSzyG;Wlw@{4J#K1F!tGx#`EIS$;FeX5YGyc@ z#FZvXWxkM1?42|VzoAQH&x|LtYObnKuVb4&Pzu%W+KZEaP6n0ZX~gcNWiy{0Tcl2D zpYHXw)bt}TT~G9@moYQ>G&1DH_FXTgnyfnbhP&Ll6y!3>)+=q2(Q#v7n?I)}D*UMb z(})mL!M47?Fn_30#2ksvbN*aJk<77`iF-{Z&c5M3pJL~gP}(g|QNJA-Oy>CdB>z38 z(oA{0?`(=9%~aRpZ!(rlqW|W^NRtI8-@6eXUxdC^l6f1lt$7BMnZ7e|-WC&S?nZvq zy{)epn$-tCx@9z(U5N`!mdbtaMkeWg=2enu;h#T8hLd@=(zMYbnJ@pPtul=*(s@7z zlUWd!bojRqY43aY_~ScQCnGSAM$$TyxCKgcCm?<4 zrtal08BAvR>=!dlZDF&G$=V6|6f^y`R&d)tCxgCVqDUrj)7BT$7n_w1)4LX1>C)(f zy~annG*eQ}_x)l0Kl_5%TN77pdlq@zw7Q)BO&8;E2tSkLz0dX7w(ViX+PTG6y z`7zU866x?|Nz2%^Zuh_0rFWL3(Xp>GHjY4=Npnp_gVgrD`L48N_teW7cvu2WZsMlx zPa}>b1+6eCWTZpll2S+3_FR2Ii7qy}`h9uEjAY`ry-yD>G)>AbVae)(io=#`>41!y zrO<;fR+?_c)hgowns%e<*{=%w751f4ONDwfxpGA-9rD{oVnSGMLQL_xC?*RXXved$G7*Vwc`J2rz=6nro-%v7gsC*6z9vrp+7Yx~!~ znZaaMMm$r63T!8wOP+U3sp&n|v-V{$nN^WVYfQU_t<&v&ezlZjW*jI#|If*Ynm)81 z9loWeHGOc>V|4g>4Lz^evXiw=ikXvq)+oA0L`2do(+I#p`*Zu|Pga!i+SaK{{w$P8 zCTib{WhPsLd=KiAFX{3qWh6|D}`#eVMX{O@n2f(W?Zk*8Q9E>{S17v=iBByTRH35R?``J z(+R0_3y-|!PWj&`TpF`u=QSST$4C!d(r_@zxc54!`S&j*ACWBTf3`w ztjOMswcd-3YZI6Fn<&Cz-yg9T<|(bWvgo9Q4A$4Cg^BY`7Rh}NJDiG*8l))r&2Evo z|D24duPrN*)*XczPSRY{7~x^pqS&-rMJjzvo(8uhw@CSYMqKdt7)d8f(OUG8!x3z`PLrJoDOS1n5OU%=7-rkRFOV)sAmd8w1qLaDyVZ8Db3>!4LH59~J4m*&Q+ zJ9oP%cC}qXg-5@W$&|SeL=1D}z}R&;tEI*@3)4@a;6WAjPh;|gOP}s)@=g1oyy=_u zaliEMUt9Q7qcQwG@nVifoe%d;7YHli_iq}ab{d11^RKd)!+Dpd9Hu3{Bw#z195<$j zkO(WoWp+0(59V(|5O>4O{+@`3pgM)YudN$+Jb~(zY@BhGk4!?g+f;KuhYwUC^ zo_XHb?6_3d5I#Jm^ZOT$IA7qiH}Y#RsEyBM;W?q-zr1kGFWhqIpmqCw&7*ml7ZyG_ zK0V})R{8hOUeNZ+y?CtHD=){Sfc)iix3!YD86R0tA{Z8EGq6lG{z)w{I zzYn&V7s2bF6?te~>5~;JfN!#Ook!fo92MF$??r-yr}|jA^;?$b#zNz#Zm(O&I)1hnd}*_0 zT~?Crwwo1_H#4Ow#GR&#`dpv}JCiG=&D*wH{HGoCuu=#9Z;j62s5h8AsbP+X&A8=6 z=RID*y-c1BF^7ZOpZawtgt{A^MA*fFZ{GcWFXz?+jp}NlRawE(n>^)Xo@cj%ak=RM z$z6bs8iU@=>o-gskoZKzez3Dv{l5y8W2L?-VMnbY~4Q-0mFsqRTxVU*Lj>O4%| zL^6lBfB8I#7QMTGUE$6Pjr(}EO9YH7c9Cvs48p?$V4m>gD{pSCLZ>&UH54O^fb;z+ zaa8iJ>8-lhm0@hwxO!?NDpqk$>aQt)8g^4)FOzHN&Fd_xS>&`T&|EkbQCpw=2)nVB zwdAnhuj?GtxfX&GUvSyMc$0fB&2#A_`u!U&U_5E9ao75Kz>|Uepj!N% zeRJCC?>9+BG5%~hcAicSqFc=x=7kzJllv^pOVPGt#1NESF=(cx=p|6dna$RC_2sX} zzVRZD-@he-m5ms$F3u4bPbuBZl*P-0G;Z+5wZTD>_xB?GhtmC|5>zK#rS0nHrL*Vj zJ-F81k8~F|2;RY<*YW;Wg67??wNAC-91-+5)9Yl+tGvONkM-&CBQxletaJCR_x=!` zq^}L1TG87h$&Vhfl|$>$S*{Qu?-mpc`A`*lKH;0+MbZOijc(xH^A)}N?d_IrAOVaK zs2#X!u!;)TO|a@U_OByGS~WK+q+}Yl;nBJ%@bbX%Gq0)V$c|$()z0p_iPozsa4=5; z4QtT4N;00DE%8fR$kf>)V=v_Sxq$Z8?&@?Oej`AW2i46L>S3sD4SIa82j>#tDh@Zv z{AFi%mn6EDeFbc9as!Qd#w(xt&!J^LCRoXwv8b_mU{$E2F7T<{0^COnaSYzs+&;fM z6N|7HC_f8nS}xNRTHZ|x$q$TGho9_)<0^jYuJ;U4UjM6>O+8NMSrcwd(|DS^kZWGO z1AbJQiem$4tXUoD1*+rgsPSNJ7rNUX6{x4)UI%^vFZPMu&66fUzE&`UQkT~nb|P!| zI-Xad=?dDgo)n<7tJdV%Lh~XYZgyQqyDzz5exZSP<_+#z-UrE37_e<>Y*J&UGRW}ToN_{l_P=O-?7#=Fu`JBhW~ zXP0#i-FZ{eXnstv3Cj^m=iCf-vuli=a1jvS%nuV*j;3u+prE~+C2@~j@0%8-`@}^B z=A}Me=-ICu=+!<)9vB%lMlX}wi_Dv;gH7gSy2SmEh3oU(C3DZlQ|;9`!$Vs)%e+)zI|gZ`_RtbMd_iXdwDFj!5&iJ`(kXsjs`To zOu@B|dOdG1pN`nEmBt?{xD&hz%jdpy@}o2t9M32L=Bf;N@-`$Q$JdG(g|%ketBsOpw!RRtwBxqaCjeYm(>IIaBt z0(JLtmH4D5A|@@MrM@U=gR9B4vF2G1%k*U50BwX zgPG2=TF`tKIA3RQ1=>$~h$O!NQl;X{>BB*vk}Y(qLNx$+{m-&CXEF@;Ry8faLkRM# z+F4KB{Yf`XzUl}(!;+6)*Kf+Yff1c^Aqe15&SvBb6=a))*M`uI|dV3dGA2NLc#k`>g z4J^NdZsWpW=j~keeD}MackV$&bX+kp6@Q3=>fPYg44yaS-#nYndb8k-yk;&Rvak`| z^PeNihpw;m|M%BT?`jQc15Iz|#``iCmTeEFwbEaZ{5-H@$tF#4!Lb2+YTY`8BtJ@L zso9}IUVzZ5;@uy=f2Hdp=mAk!Sd!vp9)74-+*P1%XEM*(4HMuyk|A?&Dy`LC^$?Ve z*41`)C`U_uSg=}W13d618Fu$NmV8X>MUMKIxg$S|ofu*D>zR3V^L7^~uNXZ}`!1$4 z{YQ}QyoLR7*R}|)8P^2LSM&Y@b~Ei5tNsoH$QEAXuZb=cFL5L{)7b5s zV%d$Jo?2JlXnHv>*iD=3`H1u2;F#J!=t1cvg1mNy&rifX5#lmuwRW~^2B6VF;~{hS zdn8O)PS@5vfjdF?ocBuOWB<*k7!fNgbzt?Dpmip%u9(+!>3Y4-(SnzNSfZT~Sku>b z%<=f-F6UvNb z7CBaG2_Rp_4Yfkr(-k{gfc(Vj#^;2q{UN*c7Fk{dQW9jp|0Xg&o#mib2=dV$+wa$g z&}|tkNJrj_?03590y@*X0_9i7x1SDS;?E^oqqrtdZ<#B-�Wqv}GQppx!!n7gwz$ zHc;?G`DL`&dqfJnlau)7d?am@-zg+K6wNB|>5p~n>56XL2FvWmujp?ZT*s#Xs08Z2 zI`TbUpziis1MHU3LM)coEw|A#8`6dP>%1hp(gr?#^qO{vcl@ShL-D--`3|QW9Jd@m@SAP3cd0*^RmNuR1gU|i<5~Jp z!*LJj8V^)x2YxUN`4r!t)|T@M%XiC|;y=pLT51iZ42mm@*?Gl1Y)Lm&zh5vfbUbge)Nz)F0yTMl+1w=TURAywookH_SYS`St{&FizKO0Y_cT<; z_o(t$fP$uFTA3ups$9=rwd;Us^Yo3sSPW z8su524K40Hf%3XsW>3GhJwT5g;Zyr6B|Aew`301zRpV}A1>>g%*CWW!p{+XYW9HCF z2x|H9KdQjpPjnBc(gjI(S@f%ClTsV$DsmSvufy3Ryz9{IvPY1Tg{@uHvs_2F7e93+ zeL$2Cl!xq$YfVerqAP;@*!^hqo^~`jNsxTQl!!XIK064S)k4@PB>Cvx{nc+v4*|T4Kkm&Ft$*tJ5}xM1HNwf9utU*eJHx;=q z^ncg_2*rlJI2z$@lH)mOiWSuvwpVPC89Kewl{z^hD8( zGGB6A^*z-=AFO7>r|yCS5ax@V)Me-sG;T`HrWJNufF1_eOvK}UzDpBmq09Hed|@vF zU*b#sryo=r%6z7-6R<2EbRwTqTe_h`1?vUzB)(T&dhJ@9*3MLg=1aV7y~i9{=w`jK z#IRYLZQ`ym7xbuKI9*cvCsP!bpZj*(eT>=kaV`yo_s01FP_scBoHs3JwSE-n15)$x z&7EKCZik?+RcH9r;7|nlDlXalM-r_WX9TFxN!BLzjL4NtYo&Ex%vB3IDRGNBgzm0H zx6vSh>m&t!@nLaxTJDt!>n>^FNjV#et#y{Y=}9^)3(M-X<>u1GuGJ5Vt@i>0#*a`| z^+UGWK|Ae-PaXO4Rd6FeEJpl0EDH9;iGy!y)hq(>4|`W5@31WFVW>`bMSU9TX7awf z`5^PK#0t3lNx7L zzJTEjfD=#G_*wQCP2W~%y_3ls=H_j?yG7f5bHUCIC}X~SU3M@Qns3}O^G?Lj`6iAQ zBupZC4*@W)gB{gH|gfUOD;Qo%Yky#gHOE7kfnQ=)tt`cNJcG z^0jcam78d~f<_1ri==#m)qC1L2VHd6G}Tpfzp6 znJxd%lmxsq_Po}u=rwH&j_f$XTdPV?*Itys%K*6Ez<2bItsa!5o8Difpm&i;U#;Xe zZw%NdwP;#{7k|?@-H^=~2H#H6(Jo3k2P}l1AMw`=_L@pNRXPRb-S#TyX6~j7zDuA6 zPuUT?cjG4)rs)(x!=(!b-m?mhOaApPr+WFfl@?2E^pM113)a(aptGL-3+CJVfVTBj zn!c*g22aVbFvQEV3Oxt5fjEb~asO1Z=xJs|X z^cenF(6WeoVsw@fbYoR^M%j5KDcaAj4PEC>f;8$R)9|XTvOl5=9Qq69vku&r1=sn( znKU22Q<3)Mhk`K|i=D0jR6`35YoY^^Kao&&!NT>lk}MUV4%bj!UHQmR_|}d0^Fyxq zslB@dOn_g{O#M{!c5#3zT7b320?4mtz8yDkWl@0O42)ThQxW9%QY712RqPAUYzr_3 zLEdEf-5z@>CqPQu;9u##;VuZe8TblbzH{8H9PrPx!>4xi*9q3-Nqcj@rcjk8o4W!w z5k9l3MU-EEUAA-aQd(ZEtCf|5#?Hu_oP=?W@6tNBL$LgmW_)kg({!${1PP0DtjpbE zNx4OIE!A~Hi6tlhnhfg6oJ#RjP(Igir#dC*u6|HKWyAlXD$NpU_`3po8u>ZV&r-uH z(Y4&c9m~t>VoKW&v2;yMN7CMvk1eceJmn6Z>3KvYi*bL2e07?W$;#?@7IRI^sRxp; z;bSGNe!ai0*8a;dC3MhARy`M;nacPH`Nk=zWCKuk>+XKEE)GhAc`IxkG@ZFpVx?f6 zVEvF)Mn4IA@g4F(~CiG=n;2u8Vo^X zwz-m)-(-5zJwbc&fyq(zYTiTFzYu(CKen_N7TQzi#P@&uLcOwd1`rIR*+z300rSJA z!->|V=uZ3}lFoch#V?=rh;F4?Mj&+>H@&;W225RgW-_gsz5)fMD4O&l@3X~sVVsDMi zuXrow#{MRf{85If?ys)Zfa--UaAy8WAzuLbfoYDv{R{|M5$AAx5#+;Gb07cvlP+X5 zg6{kbxO>l%%NszJ11x0C?*}BmZdR;ngU_MM;VCdD>w1w;sBR>;YzVKi9V+ z_Vj>MY62A400Sw@?i^D)f)?5iSuftaJ{k6EAD!z)B#m&so6U7@-uujrWzPjGSp`{e zaBB!X1l9oW-@yn~#q09kwXXGP*dSmCsPL`ya{Hl7G<;aV1_<4*7PsYOWcdnyS1qMgJIE0x1!h)pGLrn9zCwv_0d$sM1jyT{0#>1uXeDko1+sL| zy72RP$N1Vyu#)gopMaSnSbnCvc>PNcjE5G3PaVdOQApUBB?}f!99br@4X_ZLGOMTx zQ$cFJw-+qe@pMaoMp=NX5acbR&FD{E>3S;Q4zIOvrzED>sZoS@`Q6f^vk3%toKfe27mKkrYsY~#7t#lC zbyURxdEV}%d|u5=ur>=2ZjF=4-T%$>#_9R0r^4?9F4^@lt@Zk!XtYqt)gm{T1|suQ z*?(rP>PDN8AOZ5%nYq`Pam@y@D-NGpLvIOEdKqN={>jWHm+I3|UZVjn%;EcU>EM`a zwISb57R5Cp&Npqrtylc$o^fA*I!}$O#8N*k&{JG1W@$&N%z%7(%NO1^cy(S7R>>O` zJN>s!fCjxc#8D+WeYJJXeT9H244>NQriujk7VhkOyd(C-g7B%^spCwL*;{(Wp8c#* zrRn-wgs?9zUP%_Kcec#hk2Zn#1@56W@NMNV%f^ZJN-NC5yx|fl$u5RAvswnzw5vi( z@6H_UonX3bCi`Fp$3W}ve`B|}c`^3jp> zTy~Cv8hmuJ8T^4kllq{p;2^E`e{L(h#Q(YDJl&RV>+*B3#CXRvTjnQyW9HCiNGD+4 z!K}7yQvh9CI~0=d8B;XtI1p}tieroD$Qp618eM# z<=|6CJNyOh=`1q^SL&9yLznovLi1f}LWJ+zoFY^6_AUGmhz))pzczAVj%`2M6buur z*1=A86G5pPKV0b=+bnQ{0Zy8;`f>T`*#k8FCXLogE?s{bVi#HyiroZ0_2}4m9u%9; zwuL@V7P_ie2~aXrv@W#MGdJXy3qJM9!$$&zNUdzAZ%@Z}yXc&&&qt9Z@duxQHy6^V zn?PN8wGO_x*p=3gFoD9|w`>!g{i{iSx`|TKSlNjF-8x%!dTP*W0hSkTriN=J`P{Sh z-QSBY^g_W)Ht0Ba{ZN%Qnz3o9{1|hoWRDQKrOPfv(G6}68p)p9DIMd!(vrIf+>?*s zg&Z52m9Fy8G*srK>wBc;M)Q{+J~Nj>(7YMxQ8pxr&bRF%EU}mLQ0=>~--lwHcOZP~ z-Z%$oK6?0SLtLNqno@&b5agqWuRpA24sbME3?LlHap9f%ncVk+RHE0Qp$P_MQV)(6WvaAWt62*UXV_oV5zc#~w?Z zC~_P0 z*;j0fjHa#pSp}7N0YUZ&%>9(s%TQ_qOrUtz_WSE<-{_nND72B+kI~Dm>gR>JQcSIB zjjs@_(H%Ac$o!_(7jCbj_2juofOmbW-2Ari5M(_slexvJ77T^vyRdu1f1_yyE4Ca# zNyw_@dH z6Z|Pt>@;+-2d2@!;Gyy=)@#_0MYP--1kX=^e6EjRZYM}kNZt@6j=Axi7P|6EEV2PM zRm(2deUkVTsa}$X@)PSJIcp}-${Z(HUf{1;$IqclTWk%M*5IJ!dqV#3 zH;w6R#|W5rS^}P&x<_l&dL;RiHb;*A&yTL)cmYc81GM@(S4|wt@KbxU71lzYe6QVa z-6R?ZLUcdWe!H^(`3kCgzT(XqKy|RlG7L$6++G^+KjzBLLhBIZyIjtwXUw|@0|hAw z!yi0q&1@oHo`%Y1H%Vb;^3#&IQCAMoW+m4~%+paam$Euh_cP7*7Ob~qoumA&0Y_>z9g9 zNzE-P>K?-UuyOEbhj?1zCYun1BeCoRZt2ehi8MP&VI@yLm6_O<*~fWGuzapTF(;zv zddjjHCDy}T-mJ*SN`Co4i`*>@=Eu37KZcEDMnHFxwoO< zuDmI}T>W`Dx`BENly9J@MKwH>S*H2Se4#=*_`y~XR_0G3pPFM_4a1r0kk35@=SP8p z6Bgd0dtc@4SX{l6WOCiFV)%b_f!zemdtHMbKb%FAp@QVw=SJZ3NSb^rNPZjD+WWCV zm7#`gEp)l=4k#)w?B5$}MP?UOYd+j9K#*UsE}jw~o;Pc2k>gba`3BAW>0?$}9~$jM z5O&AOE}N}4wj#4|GF8DnoMq3+jUR3^pVo;>3ht%jJ@FqOPV~zOQlzhy7@4ppaQFN4J3{9?Pv8=vmlQsyrK>DjLER+NFrUp$z36;x_Ji0?l6}{E z)~)xW^Bsn$&cj)<0orcuAn!cTR7$rpZL0MG_Jr*zvhZ%x9!BO(*EfQPYX~HdS=N1< zor#AvK7gY0UeeFA8;$cp?jP`}2PI!5`PHTSL-#Y$)z$|QS+O=LzEhikh7N;IJv;lR;C#>6{;lkyqJWizPrYr+JrYaoDZR?X>iw~3dU!k| zXg=RkTlNLeI-2bW=If<(m6+T{(SH7P@9LFK^GfpV)Qf3!)^gD0iH&XmvzPE;cMv% zDtZz@$r8ectkM6Yi#Z%o$*!F_b&9N|HE9)+E*i-t%>l(u%t2G!-=d_Ck>%sem%H~r z-4LLW7GS?q0P-$Mmfo+Jn_G?xP~#@q(K(~2EAy02_S2ZF1HVkzVPwHjx@o!!)Qt~D zE(&kHi=JfslZM*qTy>H#PS0lH8+$-S&9JDfdzb+4mYwl!<4P;Vm@^3S*6?ND*+XcV z*9+1C9t<<+B=%`(yIJ1!82?Tr0Q*7VT2IzQm0j3(+EOU)piJgteDi-%a>-`06US=i zpbMSrETa6pyGMsr#ZhMTsnpA|-37_}>dr$>x1c?-MS=vs!VB(*V~bnr{*8ZW{-MJE z;WSP5i0)bGp`^w+EHj+O;WKaV6zxwJ+aO?mATb{4YD1fj2!)hf7aLeJ|I7SP(fLG$ zV=C#t?`f>TUF-&vtX2hEpG={P-S0dW+si1qI?HQCjwB^>^Q+}n2pHBPz3`A3?^;!A zQQi;;3feu3`2g_}Q{XLv@!rF(bm!P|5kL4!pd~(d{Ib^yPc6A+QLiQ{pAk1Miw$}oeo!^ zynMcIIyGuW4>7NXu5!CW|KAh(2Nw-a3fqISSmFZ{9$4s=3zf7<`T35;P&Bpop znAp=Jq$Q?pZkZQf>9#3*3rNY`Mmhht{MYN)YOAI}l6MIoR~^CJma{>CdQl3zgS6LR~Y5%x6=2sF2Z%aG*TrTyPInX|7zR*c8-ww1q1FhbV8^-Yy8qO*>Gdz9MKa_=(7t zq{6ON%vAug#l05lC%^WjrvPsY!xiWAmecu*@1Qch|)RD~oElms$gC5T*%jPRB znuIb}DUHTd9Qi$XPTJrdv^Ta6Nq)L9!LHV?6 z@=e|4OkL)I@U;Tu!@V8mP9I4dfp|gk*16@SH&1A_F83XUb%)m=Ce+y|bi8^)EWCB;BJv3)+XTX3xz3EgS}Iv%{i&n!_rP3tv|$H!996 z4p2o4@G64*M8D~mGu`@u>Zg$|} zz{4cGk$Dg@tp#0Mu}TV(em6g~MHHb zZ8wHby?nPzf%)#xvfqjKwA|UU3%MQO78Z%zE$R))Nt?QU3hyg>N;u?FF6Ki0m4b$I zlakSBWcRiMX}j}O(7XfwU}Ld(y0$C*g{6iyOTJ?)UFxuaF0!iv8}xR(i?^nz>ttH! z1A^wQfIiO(CL;MsA^jxnlr74!3vEJL=719O^ZTan-c70jdezRNHwPie$GgXsxm1!a z=obVf3;6HjzOJGBVY8e-YGn^|-t7HiE!{X%1PhNc8F-oJ`%Ilp>&1CNI~p{6#Cm-9 z_eNUme7R6;*-^SYQ=*wU>;Q%3)zLrakDYY3!2`qIKs<@LL4DTcBBzZi&V4JLc zN`X#Pv(Sq&)`0R>woWa#D|DVl0Xpz;z#Q#rl%dfGflA(-w(Va&jE;?eOG8CSUwXmT z$Y!_q(zdcsZY;7Rgtz@9_A0L5k{@&wbhY5&&IH+7%J7(E8@lw*1umIawjAI#gw~N7 zc~Ej!$t^^>xY~v29_1le*dr$Kne00*Viu?mD>Sdz-}lzsL1+9wfx6r4B|dong;vGs zB6rM-MTSWd>!@vOUH>YMr`6$8kEe4KmNx=}hr|t}vrQ1FhbQl?`99_@)~T8gMV8#$ z8uz(Bb3(~QL1l`SE6kaB;4oakzLHhv!}eVrF=98_!VIJ$%U9I$5ygkl!-Mf}03`!U zu2LyYY4V^Tc?Ue?`nUUZ4@yN+FA0Ec>R9tW-LB2@D<~h6>3S-mFFmSE5iD%w<7YZi zCkHvw8J|^PiFrTMYK4w2uXOY?~gMN=t}M-P~J%2_}`e%7(Bubq`q2jfgs^| zEq+4iJMI*tijM>=yNdtAidsGBnyOe3OY0?>>}-m1tW4LGPOy@$*S>hvMY^VTA?m@` zRN|USjg&YYZkI;U(|@lO^3OLsP0M-f2<_IjDFm7GYGv;_qjqh`t{Z&nx#)5Pd1YR8 zOlwyXpmG-APXu|NJGhB^HoBe$6h@Grqm;cLc9(9PAcf>-Mm?L3+JrHJViwZIA<8fR z#e6txOOMr6iXiCjV5gPbRQq)5*Qc~D8U*ek*K;13CJqYpxUacb~VlXh*&;qn6n#szI zZ`RTS%a)+4*Gqu*e!K!VFI%fKT}Oun3s^Yi|7-DL(QMjagb9`(=bP^BaF(vE_kuLYo=?kss0y=vy-5iyGr}@& zDk#Sb=2-FcUp%j!noS8~XuES&p$$41$XL&H{_2U$)8NHQ3gJDSA*8}*->vK!=G_iQ z!Fy`qMH+r?mvg1|G+ps~1rEbEKO7pp^2X8a{TX39-W=#tg0tY{u8@TtX<7auF^kgW_t;^+_^AictBCVv#*wSW8rcr zvpes0ggkZHM=RtQfx_+hZk~K2e|2xrjh-^^6u1`#DOlt2rMACqEs(hzd}?+6h%~GB4-YF4gtwJ=TT{R1w4t;oM0~(a>F~ zMg`29H&nTeubJnCTm>mvV)(n5KXdcX9tGu1`_xHq5@>lp2$Uy}JS^3T-g(@hB9;^u zBkf?jAz#(8UHu;7+Co1I#R$Lz_(^`VnbV$D1E`G!_yIw_ijU?x_JuC&fJzAR@#1o?q$RCR4GoF~_`sGlK7@+PKO zky;vh-nR!q-l@v|s_ku@43&jXZJYk8f}kC*1&@OFjHL(n;c2KO_L;ZR`7!C0tIl_W zfFvbn>iCXufUWQyYILLGsE_?|kd?bS>=@ zq`OA4vA2c)cIN5cuL>-2MuIozu%>N)>uOk7c$r)hW?KGktphFgEI}I}0e0Z1w83#N zJ!)N3U@s@x-TqnrDqEh;yLfe!9A10lSH<4#bbCT8mPWvmpwHlXcFc=ps?K2XQ6|CXx^vSKJhZN{G= z$q$phhgx=~v+Pt0L5cpq?6#gJX9|+9pMldB7su^7O)Z2yk0kFXUY(rnJ6;MoqLO)( zwPI}qJ++csgIg8~eoA+^S4|N1GD`g75)DS@?gZjaun@U^Q-FDu4?EC(EP4^6EWo`8 z@?Csho%uu1FKuf9mTLwee>K=Qt1ZJC0MyL_oQWVGnDQ>zvmyE|mW$rW2=aShri`n% zurq+OEOH#!Jd>3>?+IkGjb^;Nn*!t=o=nR-f1n$)NDIu;N$oAZFp^30myqWtM;7wPFt2i z0_3yYa3f!X_nED%@GU&G2NNtv-VUx0+*X@*Bu=$OVc`mPci!dSx#LMsnzn8yXn0wG z@3ChJ$9zWPjZ2E^+XMzEwDk7)sI70Ad)Olc4JRxm$7e41x-xEjruHZ~Z=jxidA^mN zV6{_7XT2+I0prK4HrLzMrnPyIk^nzYMrIi?mPT&~)R%AQ-OsBOq{X)BfCcvT`ok;1 zbGF$g(bIQFB>~CWIAK&=VFu5O{w3)i7sQ z0C{CvZTBRQuH%{m5pQEOGD`cTC77RBs_BtL_hmGa{`o#g=p{dm{LA*!gm2C~~@k>w{Oc|G`K z`;fVqb>YxVRTzT=-v1Yho{5x(-LkwC*7lk zpDt2xaMwtj{DYfoEl=;Z>WR%&LA&y1cDHroR=Ax3T?KW=%|8M}=R<#*h}Lnmneh`K z>;Ps%XoU_p46OY(zzC`TV+Qg$-6a^>z*1x%c~Kj?A@T-&G%iU zbKN3Xe)uc0Gd36}Q8*f@_lG@GNO*^tt)>zUCIrzgtL-Q(tRJi`-PnEv(~B^#Afr^q}d6_DJjCxomz;v-fAPKdqRP zkoMF_9%66yzGpaHU8j(RwJr%== zSbZ)N+QgUcM^6-%M~63bm_(1ll^n6e26$spauWT+v%(!{sXfwgKI_Ug`xe0Q4BJljcy7SMnXj=z#n&{V^+T7Q0$=Pgnu42YI84BP@I*b^br1D+UYD+1 zYBw|$Vc8`N>l;61u6AzbDo`&;S9*7E%?I3sj|+C{cQpOeV7R`FFY}W4(blwz#R{BP zv0^#GnEMb4xuMkjBHCW-(lh9)8mN$bPdwIPXLTA~uAqFlx_Q>O4QWT^oUDZbf%2?fCKh@O`tXOSV?fJVyA`c1MRSFLJ#Xp9-x5pYA7&Woj@ULEiJWv8lWg zooDn@)MMCT1A-dKR8kZ8z@4t*ES`epdtcwkJD=(P+bIo&u)Oq<(mhLdGP~k}MG8hY zJK2uh&SOd~pk;re;Cx5eRk+3?G}ZX2>$;K`6q}z5e)!hs8t&|=VF8XsknaXDWBRtG zyWU9w@;-N=_qjXJ#msDkEcMR3W=uVN={oHhbrh)VfYPDshi1|}XpUgvMR&wANef@F(c{lv^w=orT{h5ggTOVfPz52F1`+wr30 zm;i6DTf{b9LFezU;9go$^{mrVU_lBq1Bez0@G;>~?_taxx%nrcq~&StY+Z!KH1Zoa%Ewpjjx(%Y z@Ttd^sYvouv)Z4xFw2pz1;`H(p^@J2GJ&FqJqMvOYjN#yz{hA-Su>JRV3Gkc;+rh6~spt|a8`%*2=;+i2a|Bxt_Q-dcwQ&{jQBAw9ih zGw^{8dppx(THOFFvjaHM1}$t;VY^h%{fujcD4ZdtL@be+u+2}sO+>kB!S(s^G=Lp69;JTH92{ox@v{NvsV z^@>)>87MsL<(3TQ>#8$rw7Op~Z%)R3cyOL>?{Go;8uXI4+Irqz^Xs}yb#&?*(mH!S zhI!vm#+{xBwVJ7*@KB@V7N84}J)LQTFjwLAeBQ(NRCq+2vS`7=JvtgMd?$)EWq)s2 zprfsDxmhSZKU0o z^YmJA`39Y5hycBLrReY@a>-H1Z@tA4;s=QGbF5L%S}{lRum6LflN~<|=u^GgOAqTQK7zb`*gdvS zc3P2!A?asy@#8Ca%-yGd<8g%!@TvRUdVoE72TSX-vK;Mj{IvimZsP3Xqy zCveHh-ic) z>U;Op2UPaep1F{-BAscnASIVOb;#|@7--uiSW;hpFj{BK zW=$W_^+S}OE5$s_&)o44BS5}ga#d{cH(f;qmSUEC6~)Hvn??)UA4xvq@upQS#*^A9 zK;GKba;w64QvV5(ub}B3qw>-Yd#xZ8)>)%Zs+>!83! ziP7|_*SIcS^qmUqqcQLsXjiv?@-NyQ+@+yDp7T-A@Z_3gMqK^wmCN*;p?xrxdaT~r zU3Ljl025;D$&D-1s^*syI)_S_Yd2(TIZq+^8AtH3+Ii_rqY-uFTPLbSj*sYuTb>%u zzZyt>H_5oBYYo`hN5ZG}-+d6|;}W&!A0AHIw~qpZ7w90gAQ=(MuHHa5Yuh!LvBtnV zR?h8LG0y)Ch2`6Iq(j{YbhZ}+3PEAE3;ea!hS_o>D1; z^(YcR8=7jH5tMcJ$0^3nbc?zp%XgWfWAo>wGu%$fS+Vh)joGNRbszQFay+EDk3q<(|wtx1M*=S?h zZ7YKI_7dMMXPrhT^|-YO?TZh z3hJem-sw_e`UfM;=MNQvdubiv&#CA zvE`+}_4Y1sH488J*Y+iu_YNEH!GgolP01;{u|tLi;GO`yIZbT`rl!%nkvHyhX0|9r z3l=&gFLtx$G0Yo}Heo2XQMQ%r^^djrX$v$e4d!iTSkGGfXm+DuWv}DR%hPysIS7>n z!=**)zWf|neo)))(P|r=X}fR)?Io+tBU|cL&_nS|!FqVO%APna5#6yi?L}Nq$N9=C zShf8e3;^Q=>*`=?v3)4FhlkAA7yK}Y*(5Yp&<5V)a(;QQA8m(rD=4g!^J0%^v85zk z=1+niZUMPn#QMFQU7dTuoBf0g_ruD@@tS3xC zU00b7f#m$c#8-c>`?L$u3qUW)&csHBPQz)%S|CW+&B;%L|5v&MbH?D7fF%)%do~@X z(D@dNK#BEs8h+}t>h_JvG(1MY1}Dkcz^)(djdX9=Dqt^-8yu;W>{@xUqu3X^H+)J< zfOkbQEnQ(lOWyo278@Sv;fq~v!cbSbl>-FK_oeGTnVA{HX@%t5_~q5Z_i48_dn8EA z`!1vZ$=ZUJwxa;~EZ5J;+6}#N{M6lG29o@e(~!@Tm~)%a0^~zM);St&z@CS3B=zhp z{}ISi=4}jIo#Pr>S^_@x`yw0DPoH?!7Gz|b(OuAeFCk<0fKgi%fr|aVP@wlljsV&AYgAk?7gSi)%CP8 z<~{~e^JD%S>zffY*d0MWWbHoS*5>)`9U|i)X(X3(n@pD9@ty#99`xW0(NxNxbvN8)W=!fX?=VmXvszfyDEQwpofA=C$P-2 zL*~_YJ*ZE!V-;4i2cpT-^6_z-IrZ{**88qb#ihK2NkCG!9SmjTF5#Iev(y+2exMOU`IKj4c_80fkcVsrS)l z{TF5C*DjYXJ~)-mb)X;(lF}B6ADo>wFd>44m0roc$s=kwFQ#)&5VV)%y7Bp=-!RT* z)w5V$xbKUt=Mpg|m@B*71na}=RNJYq?$iA)OrU;xFMcG*v#`E~HmIoz%!|CJUxzMs z(6m=Abh+6%C@w$jCH{)ageQYd3>7Djh->; z6k6vl!-qU^K1kQ}eg*fIycuTqSE!DTTYvin!+t<_cS#!0J2kPRqnmv$h|+@qvV#LI z9d5iuw;3H-_0_7YP5D2+FWvK9sXBBw`JYG#uCHcQeMa}l|LCEq?L{mEA6Y5?ZcF{X zAbK!->Omp^Nj}T4hm-ozTAuq7fJQq$y1Balo{F@zy#>lojm{pp)|0NIg@SaK?EC1O zx7A*ny(w5v$;z44i98!>Lk+dGsHNhUp|E`Qma#drj4rCb0C`jJ;(zabJs`U+7FnJ` zlHcu7alKn5JdQHP0(7|oARk33@vP^BRuF<6l*L>X?g41z4PKdUlbJ>Ge%An$E-u`f zFt`z2LBWFME9gd2FcaI3)Qwjs4^s^;QBj49coj`L@vj^4?ggXWc5attuP? zAY7RzIVE&<^NP82++~CU!ws^YvOSV-A2qv6*VImt0Pk>=NV@rsCjUcH;%J}Gol>19 zYh4FYGBs$pElccTh~~{t@XCk{RYrFJuRBG=}iFnc}$D5QzFncs$cF=`0e%$&rIX<1rFC$>YR9AP(M1l4LVi>f7W1S;-~J{)$T$mc&j^1?_3nGcC29mx+BPs`3s+UuBEN+X#r}+ zO4{Bh_CZZr?Q-42TxI7;|M{<2HoB5}3zjddi}SohTI7X-gbi{$T<(T{M;g8@V7R1# z?<)TezITI`x%7Q3FR$jsokL*B2A8VMXO^P{$e}H9$n;H3hNAIl1Y*`y8V2Rm}nGqgKo9+Dy%8$e+PfwXhI{~SP zx@zF`pBAooV5@6W!R_z5LJL`58`$X~B*26HD^G1qcZBl@>K!EaB3tLXltfFN=Ml25 zF0cX%CXkgnf5EQ4bmk+J1ibkwdyyEPkFM?Yf|YEktu)smhE|ZL3M%V{_IXC8(D~Mg z$3ja2OWv)vGWog-)K9i;r1*w_oVWlA&x4p5*aHaj8zCZxmawHuo8vKpT30=9H`ceR z|B-H?-T?c+L0q0Kb9G&AI)1QJVd2$uen2UFr1&&i><0=h8&iAzob#S;q>4{aY>An* zt~RIwEwxh`>ZIo@`^%?_m+ATn6SQnULfuu3n0t6r(pgDu$MuaYLCf7L0g4Q(BeJ_0 zc4)5G!x)j`KVS*ce=~p6e+rpopI><^-DD3%B6jwY-AM%>dVi*CuF_MKAKWO`j$FTa za{*oUu?h%{CXDEkcM=EW{G z=F}}(J2VREp!eaeXN3bfveSj$q0qcSHyD;Rh0gf3f=chhKh!p47Tq0epF@Eq_vge< zoHd*dyZRuhcLkH}>Edeik#yyq_5XcDPs%QfH1rPAhdkC5N{vGiaQB>g!-CBV6v4np zaUACjdrx;q`!tkqEMu8v47*KXU3nvtEAeGAUEi+-%SZJ3U->oySGY#Nr=D}wehG!; z#l1SY@fAAD?FdSCugsm(CX6Ou3X-=TaT`;2)B0TFRVFK6J3YTlnr%?qP`YK@5!D(b zY_AFrJn6o$4_QZ8g^-*-J}{|$eR@RuAJRH!qvZ0jPi3<t2i-#B1?()@ zzICcd3Nv^g7c8u08~LhgS+gMX(qE1@C^pQSc*UyfQtnQ=PO3XlZ-jXZTX*f!wseGV zA%c1b*rx}JpX`WMc*mR6^o-SJ>Ve=TPePUMd9W^RAj`hRtX=fZ8aF;Bf8<@3aG(QiRS!&t}THuE70F?RC_fK3soJJQS3U-cFs13J!bfar2 z7Ev7^r785NsS%fjhFjE9p$|avn>tS1pYWwJKnSaKcp8GTTSq6&-}RF=%87^?@wRk+ z3)!i}9}97xLv;&@YbOKEkC)3_*X*V1cN&0K4_rOM*6;mNE0_u8Ie}iA&Z2#8^=wV& zn(JdGtLVMa`*_s5{ViG%dn)LGXkO$&>pVW8jZzXYb$yp2yg&LtOh9x5oA-SCZ1-rf z;}Jg)GoM9|xINE_QE|)3WQ7z!BcsD0=cwo-(Gk&+Y$5}L&oECMPEZnwiayH1HoD3O z=!!dq@KKOqKMUvVIO7!!=lmq#sOV!X+`hx1-ROW?2I2dp!7=`jdw6shn?#oQFJtK> zHenKwJ5*g*^kIn(oqEF;im#WBgg+tL&J_;&B-1!%Yrz_+*F4!XUX zg*W^6O~k!HmZ};IaNO3oZFgqHMZkaOut~V>thfeM)v~9*P?FdYcOY)-ooSHR4mOdG z4eIG>eQ*6$$gvlan0_bl&MY>GpFe-}p_5o5k`NN?joWi)2Af1!>tGk!Xgy0$Vpm)^ z6l6;ruSP}6*w4o`K_!%CYI9qE!=iv3`{E8mweGnyCvH0{OP+~arqRi)v`FU8Og5Pv z1<%LO$)uVkbMGICH1{-#N9knx|4&`0d;i=EWTja$D1vPU4W;J_3K@WD^;gxAj`ELGn`Tt+o`3FUHU2%K^MS+Nj zRfCC=D0C*%Y9{{7Bx<70IEW_F7~43uHAzPkYb2A7Gfq-9!|npRfJhXU1s3`FSe9jf zJeD8(16Typ{t9J79`O9YE9M)`Pgfk$VE| zFc-)$UOal~A}-*$Uw}?Bug4}V!XqI5A?`va9|LWatZ?|!tJiRRAK+dk{^->@cp_y4 zU%Be<;q(-KXJ<s>sFtc{6Lji{9@?H(zLGXHL$5}mmD1t6gr zc1MZ*Ki}Syg)cQ%0oL-+ZR7FBb77PjFgm$vH*UetVnKup(0h{0dA+GPd<@`xzG~A` z*JnBYCPd!sx}igXl_cH~HF$06RfYJSm$;um`+WL9^jl#VqY9mPL0pPQ!l7v)J{Deb z63tJx*W#1N3Am2;1f)@ViQRrJ<1D_Y{Rjd)3-RIXh&V!8abS}-8;^%y#YIF$TOTMg zaduk)J|FE|WHk2y`LK7wV1ogTY|HOok)}A#1Osa>WP*eA;nKpVFXMdX9N;aiS;vGr zl7DK8`yxIk4GM2(f}aT@69iJ?#n^@{c$?Vl8`t6gli-f9<`Poq6C2aqbXo)Hz_+I`UE}=@`R#@!J;%63-S!gSU z-~a31aEW~&VYM@>pIJp_r6ra>mtKcUSU|#NXEr~xiOfbz9MU(tAGCn z35Sk3EX-NL90GInGl!Eo=%KMTzWf0mwTBX?wOq_mrN|kWlimYuNnDb%f*S<)TvyC6 z>Mx2=wPMRXA%|5_=>$CS$G`3@Gv(}v@_AqM3IRCYo}F8-aWPk@AWEB zaoL&6&s-vN(Y@|Y4C-)0CP1Ro&N}_9Q)Hb2>!b^hjh|*6#|_Dx$5p!fSht3CS2K4h z*&`b}Ze-)R&IA&kJm#@8PXoz6`BBO5;VFg4e-dVlR2XwpHT&w{$+|HI0(CR?_$-EnPgH z9|*MK5;=;5Q_{9d8ndJ=B)$0b%ce2#Vs;HOph$?4wpY^d&o)wGo-ge=ycbiF!I2J0 zTTjBz4z13_dvU)4dnK)&_XWwHTHdP0`DTUh0sEsEpLJ=^50HIeKFs{@qFcag4U(oo z(rP7*Thg{f8w(-tgHC)b_AUUS3zA0QJa>omWlp;K4&ISwE)nolgbZg$*j%%L_>PGQ z1-1wJ>50_1)AthI^7<5L*)E&tC$)P&2@l}#$!WNzm^3@<;@&lQ3K)#Q!3tfd?;OeR zXwq)Q`2`EP<-Y20t1X;MKX{9mj}+m?9|XQv9q?3>jVGnPZ^hwefcs2xJ6-+f9_#-K zhsOc#ZwRWLWXoSyTQ=eFx}V0VWOcLbqo0&s=>9ebhyMg{ew$okCR^UDPKn3i0R^_n zrSw_I(IuJ0cTUDHf|hL|6FpRAS!GA?ma_pa6@y;7IvD)dCgN?D6%jb3ZX$i2TX2Rr z1-JpQp+K&q4{;W?C5pJ&8H*#Z&q%hM^z@Y}9DX|j2kYrQ)%UB7+i=(gaAjdwN9U8| zJD;z`i-f8F!m`j3&Oa|lvA;5@J`FeFl_lJS8cWF6PdXob?fOkTrB(whv;=yM!S=qf zJ~~==PhKJ3YxPw`B3Mkfzv0@QN<6o0cm&#S4S0HjhAPtj#PWT_4A%m0X%BcmB;hT~ z?ry+)?qh%*-C+}bWckkLRqJs$C6&Y8{(z^3Z26S?fCq>71MGLmC3H$W{7o;BTk1F* z%-72md1TA&kNut4I|l*Qp9|^R1ATNcQT*PsvAE^ymvX+aI9NlUlUfoQ+&FwP0*^J& zyUVrNn$tKu2yn4!OkGL3{rr{N#1p85M>$;HFBj2E_kuT05{d1X)3A>o>OFTiNO*)B z0j?0`qI&rP-MCPC_$cnS9O1)8I!NnYSv!Qos~+Qx8@pwZjx*=O`VJgE4zS4+in50) z=vsLehkXFo_=2@`kPfUKP^#tGb^k-lIP7kKildzFvrk%b%kajtf%kZVdV0t7#N@6Y zaJT|se@D22K3?rxH$+@3zcCFP=?K3XUq}pf#_||dNaGDfsq(frR{b0|`)ztzRh zysC1h6Vt;5a7&L|M4P?C5XiyTkSTzB@63zsBK}k1J+}dg#Ou|Mm0vIQ$0=kEzSUx%Aw; zmXth*!y>>sU$k1Q^!4ylcuJZC*y)q&e7vkDlW8#R5n}b)@dW2ZchF83Jvl`;-o!0G z18}E3R7jr#UH2{DjKkMC%sXt%MZ