From 00d586ef8c9c01029a5ab0929022ccded3ef9fa8 Mon Sep 17 00:00:00 2001 From: JD Date: Fri, 9 Aug 2024 12:51:38 -0600 Subject: [PATCH] Article: Fleet 4.55.0 release (#21147) --- articles/fleet-4.55.0.md | 132 ++++++++++++++++++ .../articles/fleet-4.55.0-1600x900@2x.png | Bin 0 -> 52679 bytes 2 files changed, 132 insertions(+) create mode 100644 articles/fleet-4.55.0.md create mode 100644 website/assets/images/articles/fleet-4.55.0-1600x900@2x.png diff --git a/articles/fleet-4.55.0.md b/articles/fleet-4.55.0.md new file mode 100644 index 0000000000..24e4a416a5 --- /dev/null +++ b/articles/fleet-4.55.0.md @@ -0,0 +1,132 @@ +# Fleet 4.55.0 | MySQL 8, arm64 support, FileVault improvements, VPP support. + +![Fleet 4.55.0](../website/assets/images/articles/fleet-4.55.0-1600x900@2x.png) + +Fleet 4.55.0 is live. Check out the full [changelog](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.55.0) or continue reading to get the highlights. +For upgrade instructions, see our [upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs. + +## Highlights + +* MySQL 8 support, MySQL 5.7 sunsets +* FileVault key rotation with Escrow Buddy +* FileVault enforcement at enrollment +* Arm64 support +* VPP app support for macOS +* "No team" software support + +### MySQL 8 support, MySQL 5.7 sunsets + +Fleet has updated its database compatibility by adding support for MySQL 8, while simultaneously dropping support for MySQL 5.7. This change aligns Fleet with the latest advancements in database technology, offering enhanced performance, security, and features available in MySQL 8. Organizations using Fleet are encouraged to upgrade their database systems to MySQL 8 to take full advantage of these improvements. By focusing on the latest supported versions, Fleet ensures that its platform remains robust, secure, and well-equipped to handle the demands of modern IT environments while phasing out older versions that may not provide the same level of performance or security. + +### FileVault key rotation with Escrow Buddy + +Fleet now includes support for FileVault key rotation using [Escrow Buddy](https://github.com/macadmins/escrow-buddy), a tool developed by the Netflix Client Systems Engineering team for the MacAdmins community to securely manage and rotate FileVault recovery keys on macOS devices. This feature allows IT administrators to automate the process of rotating FileVault keys, ensuring that encrypted macOS hosts remain secure while maintaining access control. By integrating with Escrow Buddy, Fleet enables seamless key management, reducing the administrative burden of manually rotating keys and enhancing the overall security posture of macOS environments. This update reflects Fleet's commitment to providing robust security tools that integrate with trusted community resources, ensuring organizations can efficiently manage device encryption and recovery processes. + +### FileVault enforcement at enrollment + +Fleet now supports enforcing FileVault encryption during the enrollment process for macOS devices, ensuring that all newly enrolled Macs are automatically encrypted. This feature enhances security by mandating that FileVault is enabled as part of the initial device setup, reducing the risk of unencrypted data on managed endpoints. By integrating FileVault enforcement into the enrollment workflow, Fleet helps organizations maintain a consistent security posture across their macOS fleet, ensuring compliance with internal policies and regulatory requirements. This update underscores Fleet's commitment to providing comprehensive security management tools that protect sensitive data and simplify the administration of macOS devices. + +### Arm64 support + +Fleet now includes support for Linux hosts running on the arm64 architecture. This update enables organizations to integrate a broader range of devices into their Fleet management system, ensuring comprehensive oversight and control across diverse hardware environments. By supporting arm64 Linux hosts, Fleet caters to the growing use of ARM-based systems in various sectors, allowing IT administrators to manage these devices with the same level of detail and efficiency as traditional x86-based hosts. This aligns with Fleet's commitment to providing versatile and inclusive device management solutions, empowering users to maintain a unified and efficient IT infrastructure. + +### VPP app support for macOS + +Fleet now supports installing Volume Purchase Program (VPP) apps from the Apple App Store on macOS devices. This feature enables IT administrators to deploy and manage apps purchased through Apple's VPP directly to macOS hosts, streamlining the process of distributing essential software across the organization. By integrating VPP app installations into Fleet, organizations can ensure that licensed applications are efficiently deployed to the appropriate devices, improving software management and compliance. This update enhances Fleet's capabilities in managing macOS environments, offering a more seamless and centralized approach to app distribution for enterprise and educational settings. + +### "No team" software support + +Fleet now supports adding software to the "No team" team, providing greater flexibility in managing software across an organization's devices. This feature allows administrators to deploy and manage software that applies universally without being restricted to specific teams. By adding software to the "No team" team, IT teams can ensure that essential tools and applications are available across all devices, regardless of their team assignment. This update simplifies the management of widely used software and enhances the ability to maintain consistency and compliance across the entire fleet. It reflects Fleet's commitment to offering versatile solutions that cater to diverse organizational needs and streamline device management processes. + +## Changes + +**NOTE:** Beginning with v4.55.0, Fleet no longer supports MySQL 5.7 because it has reached [end of life](https://mattermost.com/blog/mysql-5-7-reached-eol-upgrade-to-mysql-8-x-today/#:~:text=In%20October%202023%2C%20MySQL%205.7,to%20upgrade%20to%20MySQL%208.). The minimum version supported is MySQL 8.0. + +### Endpoint Operations + +- Added support for generating `fleetd` packages for Linux ARM64. +- Added new `fleetctl package` --arch flag. +- Updated `fleetctl package` command to remove the `--version` flag. The version of the package can be controlled by `--orbit-channel` flag. +- Updated maintenance window descriptions to update regularly to match the failing policy description/resolution. +- Updated maintenance windows using Google Calendar so that calendar events are now recreated within 30 seconds if deleted or moved to the past. + - Fleet server watches for potential changes for up to 1 week after original event time. If event is moved forward more than 1 week, then after 1 week Fleet server will check for event changes once every 30 minutes. + - **NOTE:** These near real-time updates may add additional load to the Google Calendar API, so it is recommended to use API usage alerts or other monitoring methods. + +### Device Management + +- Integrated [Escrow Buddy](https://github.com/macadmins/escrow-buddy) to add enforcement of FileVault during the MacOS Setup Assistant process for hosts that are +enrolled into teams (or no team) with disk encryption turned on. Thank you homebysix and team! +- Added OS updates support to iOS/iPadOS devices. +- Added iOS and iPadOS device details refetch triggered with the existing `POST /api/latest/fleet/hosts/:id/refetch` endpoint. +- Added iOS and iPadOS user-installed apps to Fleet. +- Added iOS and iPadOS apps to be installed using Apple's VPP (Volume Purchase Program) to Fleet. +- Added support for VPP to GitOps. +- Added the `POST /mdm/apple/vpp_token`, `DELETE /mdm/apple/vpp_token` and `GET /vpp` endpoints and related functionality. +- Added new `GET /software/app_store_apps` and `POST /software/app_store_apps` endpoints and associated functionality. +- Added the associated VPP apps to the `GET /software/titles` and `GET /software/titles/:id` endpoints. +- Added the associated VPP apps to the `GET /hosts/:id/software` and `GET /device/:token/software` endpoints. +- Added support to delete a VPP app from a team in `DELETE /software/titles/:software_title_id/available_for_install`. +- Added `exclude_software` query parameter to "Get host by identifier" API. +- Added ability to add/remove/disable apps with VPP in the Fleet UI. +- Added a warning banner to the UI if the uploaded VPP token is about to expire/has expired. +- Added UI updates for VPP feature on host software and my device pages. +- Added global activity support for VPP-related activities. +- Added UI features for managing VPP apps for iPadOS and iOS hosts. +- Updated profile activities to include iOS and iPadOS. +- Updated Fleet UI to show OS version compliance on host details page. +- Added support for "No teams" on all software pages including adding software installers. +- Added DB migration to support VPP software features. +- Added DB migration to migrate older team configurations to the new version that includes both installers and App Store apps. +- Linux lock/unlock scripts now make use of pam_nologin to keep AD users locked out. +- Installed software list now includes Linux .deb packages that are 'on hold'. +- Added a special-case to properly name the Notion .exe Windows installer the same as how it will be reported by osquery post-install. +- Increased threshold to renew Apple SCEP certificates for MDM enrollments to 180 days. + +### Vulnerability Management + +- Fixed CVEs identified as 'Rejected' in NVD not matching against software. +- Fixed false negative vulnerabilities with IntelliJ IDEA CE and PyCharm CE installed via Homebrew. + +### Bug fixes and improvements + +- Dropped support for MySQL 5.7 and raised minimum required to MySQL 8.0.36. +- Updated software pre-install to use new GitOps format for query. +- Updated UI tooltips for pending OS settings. +- Added a migration to migrate older team configurations to the new version that includes both installers and App Store apps. +- Fixed a styling issue in the controls > OS settings > disk encryption table. +- Fixed a bug in `fleetctl preview` that was causing it to fail if Docker was installed without support for the deprecated `docker-compose` CLI. +- Fixed an issue where the app-wide warning banners were not showing on the initial page load. +- Fixed a bug where the hosts page would sometimes allow excess pagination. +- Fixed a bug where software install results could not be retrieved for deleted hosts in the activity feed. +- Fixed path that was incorrect for the download software installer package endpoint `GET /software/titles/:software_title_id/package`. +- Fixed a bug that set `last_enrolled_at` during orbit re-enrollment, which caused osquery enroll failures when `FLEET_OSQUERY_ENROLL_COOLDOWN` is set. +- Fixed the "Available for install" filter in the host's software page so that installers that were requested to be installed on the host (regardless of installation status) also show up in the list. +- Fixed a bug where Fleet google calendar events generated by Fleet <= 4.53.0 were not correctly processed by 4.54.0. +- Fixed a bug in `fleetctl preview` that was causing it to fail if Docker was installed without support for the deprecated `docker-compose` CLI. +- Fixed a bug where software install results could not be retrieved for deleted hosts in the activity feed. +- Fixed a bug where a software installer (a package or a VPP app) that has been installed on a host still shows up as "Available for install" and can still be requested to be installed after the host is transferred to a different team without that installer (or after the installer is deleted). +- Fixed the "Available for install" filter in the host's software page so that installers that were requested to be installed on the host (regardless of installation status) also show up in the list. + +## Fleet 4.54.1 (Jul 24, 2024) + +### Bug fixes +- Fixed a startup bug by performing an early restart of orbit if an agent options setting has changed. +- Implemented a small refactor of orbit subsystems. +- Removed the `--version` flag from the `fleetctl package` command. The version of the package can now be controlled by the `--orbit-channel` flag. +- Fixed a bug that set `last_enrolled_at` during orbit re-enrollment, which caused osquery enroll failures when `FLEET_OSQUERY_ENROLL_COOLDOWN` is set . +- In `fleetctl package` command, removed the `--version` flag. The version of the package can be controlled by `--orbit-channel` flag. +- Fixed a bug where Fleet google calendar events generated by Fleet <= 4.53.0 were not correctly processed by 4.54.0. +- Re-enabled cached logins after windows Unlock. + + + +## Ready to upgrade? + +Visit our [Upgrade guide](https://fleetdm.com/docs/deploying/upgrading-fleet) in the Fleet docs for instructions on updating to Fleet 4.55.0. + + + + + + + diff --git a/website/assets/images/articles/fleet-4.55.0-1600x900@2x.png b/website/assets/images/articles/fleet-4.55.0-1600x900@2x.png new file mode 100644 index 0000000000000000000000000000000000000000..6d5b25e8f6a72861229358e0fb7941dcebe40488 GIT binary patch literal 52679 zcmeFZcRZEvA3uKEGLm;fb~MN+A!M8*8EF_P*+urs-W*g`972+eP?VJ|8Odzen~+hq zW3O|Z^S$nazMt>kzsK*t?#H7#_qp%ux?cPBe7&yg6smDkg`S3u27(~^tEyMDAczhH zK~&V#l;9iuJ$*^=&!LB^y3P>9d= zc>ed+k(By>ZjrAb(*LcEbYBwxOyZwO z{7aGtHt;V=?n~mIN&GVj=wFiDH-djj^1vJZnZ!Sn_?IO2ZQx&$JO~T_OyZwO{7aGt z-taF;?n~mIN&J5>iIl2O;Vs!8R%P*<`v1uk)QUEqmWnzu&iU$W=<^@X%kJNy6W2CT zKAYeqYH~08cF%j6my688RWmM`JtIQd3r~w>d_PXBp4Te5C1EgMcs3*Bzb#_Br5KJ`4(B>&IW zgA*y(*7$p&CdqmJ-hdBZ4XXB#8x6-53&Pya3aPt^a6 z3;91D0sV8Qe*xrQ$o!Wi{wF3N|0RikN#b9U_#cme{-Ml&xcXlu@vmt6pP2BkO#N4w z|Nq#E&?AGOR0Wr{3>Uu+irogz_tNd?7mt5%wLvfb?VDk({zGMvXnSS(V5Kg{t-h3Um+Wt2>gbUqp6Pf znyXM`^+rQUK8tapq_h}IOp&wb1>dvEZ*Mk?&2$x5`0V`bvjAieFVrfL*|^)}+`fse zjVpEbi z@Y4=R(Be7SRk~)IQ?Yq{ZPe%VC7qJ z^n@1w9fios3b_%V870wXrNV+tF)qDNyuAh;jNkS2$F=w`M_D{kY2#Em;4ifUZZo0O z_?hKc$;Ie$|iI8=mUXTGQpj; zRF|ELNul({uOfOQE74*NY|V?g>xOF08LNW#Fj}^B-l|~mP z5v9XLu)of6i8aF3RNcbIv@4<@N5a2e92lMY{G|u<2jy2*<@44>c7hb3_u1UE9D5DE zCt+|$MOUbLWufF*L5gJ4yNL*vfZ`JO`h2_Xs=MpwFcF28a+`9--rti-<|eRiN_<`( z3t=8Eb+dQ7e{z_8$a*8~w>v9nqN{I%n{U=XP=&^ASP(o_d2^$Yi08Tdqp15sogs66 zHX`P4Uyg4jJ5_4Fmo8j0PNk<=q!=~>Sn$FuLGJ$+IU-^jVE z(@5}h7P^@t>INVChA(Y2tY_8S5QP19dcs{FvyaBpi^Cd1@!}2rHa%!$*w#df|CnHh zqpN?cE@J@fuF;%B>5NRvO__I$j+vGEIO^lVM+C<$RGLhk%tiKQg`oFW;6gn^g4@5? zO?#qddz0=qf;0h*cjCBo=W7v+`Ile$krOtL|)%Sjubf#NoF7Q z{~^d5HIsfr)GyVGQB~ht#daqs|ITUr3!N)Gk6{rW+f95O=Qz5qqZ0SyTtEnNe|^;1 zcZ)Si;6S=sb_ha#yJWV3d)0ntcVJrYc2%2O7a7BC5&R4HI=Rh;Z!(Kv?>&JY%Kcr9 zwL4zsMQ(MryZ)8^F(N%l>&7o4Hb!RgefZMIkVL}pbzzrxVZ2e(hGnAfZI|4+LO}4) zJXW^p+N2mHnD*@=!&?3G+dXs!2jn#J!JS_%-A`s0pED$dz855o=XH4($cww{+veLr z{e;UyYH&~{ZGK0FxhcLk_o=dmPpipaQ%jwPYdj=d18?J?uyY50Si4zI=J#FCq4>@E zUl^Z@Yz@yAlgnoUg45=?3~SE94wb(3=PkRbuKu-s3ZU2oqM|2aj1xnZZwVzcja}2t zt;SaCF?FbhHN?R5-$|s(3!|4y0$=o-eV?s97|JgOx4@&md`_}RtExXyuhP@Y=-7p6 zQ$Budj=RscLV~TMos2;RXeaiDf77^!88Y{u$IObh2a^Zcl+(RjcHjS9TM%Ab!@X}rx-V*uyT*25 z_czVGiaxr=xT#2Gw_#5AIBSZG=sv_ByXl!6&VylQCt-QdzR%?|`PC}cG5wq&&W2+0 z$tO&>a^K*H=KEt&!MzvVaH5#|n+K}q7a*>r12TpQ~FWe17 zNsoMIaS&XrD=d9}unIr>-VmFzSU#_Ejxg4@c2;;+bFeNoGV8=!!gly`Oe4 zW~#LNUxDt8lhiSA*qx}#t6IJOpzo8t;!r#+ANSKc5`=d~uj41HYwX5tZv|{u< zxb@0VXJs~jm0~YqB%9jgc`j>6&P5@XORw5EeRU3gn1M_n2FQwO5YQH?JQahzWP& zw5oF)q`cTr*nG3X^X7z6LMLrFx_s;IefaQnj^B42O2emQcL(7x9 zU=m1cWv703VQ(^E%g15Xp>k@y_(|Fa&qb^cG53yE^B+9^b{Xd7GgTp8^X7Lw3Z8@S zZ=Zn0{EMvRraA~~dzS`+I8|0w^t-OwFQ+a39Q-OKRR|6kpUot_dAA_3LsXJED1&~0 zuM|FBZ>2%*k3QgQc;?;PUtiv$|9nyb$O|x5i3rXVMj13Wuf5xU72>De6W0xHMwCxf z!qM%;j{4VQ_wJu*id4Qx8cdrgYxjRe%RuxB7Tze@M5!Y)KLEkBi5_CcJkB0!kkbk8 zGq{@vTK!FAYSv^;0?kJ&F#aNzmdAmMj`^b8MYe(Yq!)*oOQ(c4srHHBXK*k8B5)OT z{7l+>xiMxW@vGuCvq&L-ujWmz?<}Z!Pn)x+Ev5oj*%L~m4kQs94D5jv<<-mv%*>V3 zY`p!Uu*NqyJ8m9$0RKMq=`x9?ZffLC@}^hGqImHiNS*vt z+-%V~rRW>vn9Y?e?B5l_i58bwHzfP4vTrT=E$e8Cu&huq#CH|^M=q*Q!Gl@(vD9&}9zVN-9xQ4J+$%5w zn_jOWg26gE6ML)tNxrvgP)``9$QvP=tcZFM$4nWiN3-& zD1Y((?ty{wOTe}qb-5t0z}sd*E{*B?88dytmf0u56hnH)D-QOEzH8-pQB0^|u!)nK z2wRKkIn2S%G3o-b3bCrhPxP`54M?E{98}KzjzG{fZ7hZbwGmFTecd=yebnqCK$ga% zrDxc_0?~kK=GI>>&0#Ki;uc12A_m^QwIr7zq`hGdh#k%&EZ4mNg;K=5(IWMR2Nd#i z8y%tj75*pLYH9hJY_iY%<(s%)q$Lm-5?|fJcDu~m#^$N5;O0)#Iq%=gnEI~;9a)8Z zGDeYoDZXdlj}OTlZX8*DmsJQzy+j-kWUpbcaA}Kt-a?9P(W9M&`q^)qxVl%>@1I+!E zV|3Lme?-jX;`;|UWWmEu=G!h_CbBoxBUM16(LAMuTkhPfzKylLEha6)a*jiu%YDtg zsjzhR%GK57CiXKo4?Grmo0zkT8;!E>kZaX*6E+d04G9Tvv)+GItSga-dVhsyby;OO z;r)AS#%3Q}fkov@8}WVSkP}2;^6vI2QcygdGQvCLiaMuNEH_ndQ)ghG)LPmLVg|4B z)pM`D|1Tf}u|EoRmZ;g8V~ox7+E*}7oRoR6DfXc{HKTenztNj#d80ZEWyasvx^@hX zFq(;NZ`Lgn2)LSyS8$^F^Nb*_&TIv-_;ESBk~+RWBXpYxSk%V0lK-#{^!``H4ySAW z$3X2{+x`v_!}|K^j7iC?Xg-ptnb-_CElySnI*RIUD->M$v1!WpiWocMTw{xz8lL$gl=ZOp_l2= z#~76uwV8&_4BJrh6%EY1^H`@EMQrZkUBwH#ELt1eBA@m#OI$SQIUfGfnQ)je&>FOy z>F=G&oPV&0wr-b1w&awb4Ty2SWGVfeML>nhvQYJr%POn~-RJ+41C~_6(HpfgpcJTY zG2T)W(j7TEz%j7wG>`j!#$;nsdnppX(Xib9E398O3S)66$Ir*RskUEi(c(bk;*`V; zqo;%`*cthFcYTI~ugy~skg*!ieYz#h{pBH%pBrR2F>Rq|r8U6*0wo+8L5T+cEeK<3b z1iB2%TX~8FzAn56B4#5Z`K*k*xwgj74y{UU`AHG2w=Kp^_%EZQ<6llJm73dd$0G}9 zI;+f=(i(YIJDQe#KaI2G+oK0!Zq+t)jaHX42mKuJH?x&>HyRxLk6Wi;4Rlb>8cF%c zCLiZ2**FM5OK4*5_+26_$DY)e5|NzP+WRG{G}3wMwnci$1P-m(P|@@wG-R2qMbuY( zJeN#qspG-S#05c^gR$Z!@o*0G;V#I10GuY zyXb9pI&{~&etJD6?5p0AD5v-6%lD7Dz1s}K<+ncEIlQLS6Zcyz z5}guK)_BIIk1AM&6x!Mft0DV_+q}8FS(`1hpUGK>g{`Hf5=ZCY^2YkScKwe-(JIGr zPSj2-{gzS2#!WIOnwz`dp&q-q3P%W5Ja4E-v=50R+ZBDd(Bs%}?0aj{s3%Dw;}`S= zECS(s%5QU%iyrzlvE4<$smgx%oy?!jZSQ*#zfeOsN0is+hAuXsBKjO^`LGg(Z%S*L z@@WjMnbgwu*vTE%_YGXW1@@K^e_gzes5E5iVv1QZ~qwzy|=~jS?Sgzu7+<-RVfw1KsEC z;}l{uVNlcHU}2V&y=l=Icd=XFxaIH496X69_Iw}|gPq^PM1b&S{kMR>HJ}I)7C{iV zr96&5avbIqzRD|M3xOa54MtztmETm4x#2r-X{ZpPDbzX#6Q3fxp_;=nO}qCDO0C`- zRe6ok$7jOE_^CI-)n@-0B)w1jnH0iLi}C1l2v$SGYX>AYD-w}DQg~}?6@w2hUwFQL zAg;+SIIBS7#k@Nn8}A}vw1C@l~CfPNm#byo)d2rksmJrd}%vTdweMCvsdN4L_?^)e$Nd_a{yNl{@nMj11@g^ca`bv#Z%@Cscp>JvJb&il-} zdd=*NeCGP`~)#%(tWgF8Xb~5xLWyB?6&u0d|qfUGB zDqO!_%OAuzdE`k9Wm(abKUz@XQ36FyUDe|Hwn3k7F3Ix`fBZ)YB|O`{m~(rSX~>fD zz@I42`wqsI|9OAy0E+XUCV@*U6zLYuZuRe%B70v_N@6MmO|K7S!9(FI?Ao481K#{n zp+OP90)I7}-c#ADhU zRlnC|OrK&={${BoRQW1K0qB5? z^UbS?elIx%d;KKukNqoO$3H2nvP#pX)NwS&+abQ61rTsSMwXi5Z=Px2Gwrv z%ya>1R~NWV2bC%I*=y$@M*^vRxq2V%+?dQMHnOg-`@LyQmEgOx+qoR@j>Rk>iiuQr z8RuXB%%bMFc4Pgm$fvZY=^_RQLm`SZKJ$VUDxJ$?GkitdnLN#3Fb-(5Dzu^gCOK2U z#(|MpiV%4?K_}yM*XQ1>L(|hk7@6tk=pd}~6Z5fWF1Qhg*48gP1YFYNf&y&ZuU|LV zWlqYAPP`Dx(dJkcaC2Mn1YZkUP#2E4792_HfI%6Xh9h#7O@7gcadHy?^*%or~u%?WhWK zlpOY(R~MjucA0199>Kb2OEYqf4Zo}2Xi5Hh%%Hy`?{97JG718I)Bf4dL;txG+L_a9}Ba_9ay z``6uGwlTuSgw&dAnmR|Y6{+JsbtY2kgniZ8A0fKS#&b=51buz@TY*%k?@CP#zB?!DWYBaf>=Kh5{q znzWR8D@w!PmU3R)yXvUA`~@ELA79+Jzcbx3z5WZ_+z@_@0A#$C+TAh^SB^1qwkF%| z=1Yl;7|y>U_VM@lgwybjBacAN$~xiVCH#X9!Q~!|14DC++XAzi`-D3Vp55Z&bCG_$17j27GlQ!%9slsk-aTiY}!c z&-liBNboUf6ct^bl{qp?Fo)3J%7Y(4(CH@8*b9`wD!Y_I%`-DoI6`I!gUv_Vu_=^Up)c1y& z+Y|T`mh(0nz(A#R)dlVrk;nH$Ui3>%J#7@X`qIz;-`GL4m2x49%22`^+cW~iU6#&h zN!W_Z&P3B?J@4%ugTn>?GkyE2GqeHwa)I`j$?o=1NMX2Mm32Z7X-?~p>x9#Y+!J!` zy2;Q6YeG4!;LyzH2f5>+B~hFe(go{}V4b#G^hYaByehCz88O_bIfR;Dz=bN3y??#? zYP{G#qZdu#F2}UL;^)`ItUCMWRhK`XM|P!T+I0}~2P2O&;l7!%X=XjUdNiyHdiI5T zc=#_w-DhlA{PK`eZjv7^pC}BYB!t3HL$x0I67Sn2`ID)gr*CkuC`An-xQzM_D(uf= z#7r^E`_h3^n;sTlxk{{zxx~IrF`~8N$t;Z z*C!jo?!w#>A^O$GS1YdTDm6LHa09xKtc0XJm7?r2DZ*&~!UuS|8`?JGI)m!czZeuTM}`fyZb@*H$w zg`eic-4%MiMvW{v!=tSOpLy-Pzl_MG}>l zM}Hte?dPyJLdZyvM$pQ=!&Q91Uys7?f(vPO2nGI;C<8D|f#6nMDrPA(oR3G4#GN-^ z3+-qIuO8$XIch zI@vLsQpG$!DmJK@6$N6#flNOj_6%OOX67+W!mouDHt4D_%l8z236D>i$-~Dr4)N&+ z9|VBU`2C4jOOloW0hA7Lmqk74Q76AAk8)NHJI!5wTnuX6!vD2~GZ27V-7R4yqx2)z z4XXr3&r+XU$|zq~kSFidtc9c0SO+f2?hy__8+&0h@f2dmeCduSLqo>f@ZW8;0rLxA zE!+=m1kz4~O+iCa#(3y>c5nXS9owIHwVb<&7|N&z1FN5cj6eEYxgSi4EFtRKb-is= zmvwD>kbw)W{E$%N5Wc80O0C8Er)PSw;%^f*b#Tw|)aZHikUKdZ_)i_wT3Zw0*UBgu z-El*`C^a@QFYSY==ZWY`!(9)_TfMP10fSjfCNORg@f=ZeP<=wF%zJa%Y%oVf3>k;! z%k8dPp43DB1-6ieK2Z%K;?A_HJ0t8M-()1{BbojDga2Y`$XX57e)HpQXr&~R8*Lr~ z7LmoaSY8ppi4qE0I&3QdTu3oa`y0$qgG48Dnn@Dzr$X}Y*ocjm^%#YTq8ANu8@HVu}PU^E{Q-5iLZ zWDm!Dd%vDN5kBg7KFt0rx;lXZ8J3Feku(`e8<#B0i29Cex_DqiPl`1{O8 zt2edwxhZ%2tZ~uz!H zlZ~n1qa_5h-Ut|J!0i5+w>&9Oz5)z2mO}UC4VnNz)4B2I;pp&EQ?{v;lo<)*Rdx0> zo4I5NW!^D(Nk|!lLI8c!T(6AwUDd~+H!qs!b2|)`@>P@(W-(GAnR=r+3vxeUrn=C^ z^Ip>4kIXefePdl*?V7pza{X5eHk$^j3*(6-rOpujgdVn+^LKJ~?QsnatK;>IXRai_ z`S1+O8OL$amvr%HeV*tpjVY{(z07HaDUMk5&S{Vz zl+o@fsdi8wxJD$Z-GJyjPgX#*X*`49ZkwpXYzMsn$ViDRSFh&M;!asjI4DiX84dM~ z(W7{bq2umT)A2e2w%Jl{Hl#UmjcrQU>lD!)Q={LItj|nc4;8gi^&RgQnvACG?P}}m z8X;R@Nk;4n*F2}}yEUOe^F&C$pp!@DqXx~55)16R&AHGC>;G1!)d!nmyp5XzGJIn; z)M*}PRCSm5nQoYVyJh|GYfSgauIA3U{LN~C_~*of38|XJuY7hWSFS=!AlB7tu7MnTZ1wzZr9KK zG&=kEa`L=E@2B|Qt*47BjCiib*Prm}EcJEam&jnz@?ePhf?iO<)@QAjAZC8u!x%2i z^Yo8An6mjaZljJE@%E|Ov~j0fP`4i3ic!k1=e$MS@H}OCc{ZZP`|x=U${z zl7SKCbT)T?fVfFE4^Yh0GX&QJ61TIw3rVAkFSr)E-ae>Br!Bt8IhM8QeO;x{ohPGv zzc(s=n3x8~-ZVzITn8-=xLlC3m>Mcx+rP%%)&{RBEbYw2g%D6cA@^Zoq2WlOwt;1KqCWQ7?b zQB`}5mM*$PGkpDFR%3BQm}rqqq1%zVIl3#;>HZsgz(t&y$o@k(7G0~r>M6i=JZ%7w z#0j|hQ)mhR_V*oMfM*0R+K;}VkORmf@GbhR+KGtAqoc{3UyHkf>oabRFix$>mvYMS zpH9L>7W${S0$=C>xI-4ZVzWFsYuHiZstzIfRO@D1M%ElZY;YPGKb%q|7Rxp-^#|1@ zeQ@7|uA3p^n*4~_0EHvs9vWeaiy#o7=lh376rz~^yK0>IS;Y(AxR8%qv6A)7#Vv&dexCS6g4E1#3zV)I zVg!CVoa%M#hi6d(4}H$4U!NjnAFasaWAZD(@s@4xo=Ibi17$0-#E7v2wL`?i0Bc1v z;mXG*bj;D(#(GmTUG`$-Mj9Kp?Betk{usKy+1;!6T%E2EhiTllLi&!yJA6M}H(R2^ zW?;OWOJ&-c6Pa2tpuTRlZzsD%AOw!og(|H32+-$cu0~hCEy!>-NBj=vfnh4ZJjq17 z3VN-F{3i7;ow2gqjU4)OC{P^L+k0OW^e2npx7$V(j$rq;U*GTbD52ELg$mQ)O+WDv z=^~jl=jCDDa+FU6=zUJejP9sRWsziTB5KbP7s=XdctR)|RkGQnaKc5}W9?F)vLO^2 zerfmei`8@aGwNd33tgU2#RSa!Y)SZCwFgx~I zf2mTcJv{kXwHfxP20r!Z9!);TEu=0uvnkA&gq$3De# z#5MM-OK^r&@!c^K{Ea@!7QUp-)&}>cSGt@EW^c~lw(h(daY>wN;S%xvhaQxBS$kK_ zJ%<4L$Knd&?*J@zY?|6>B?QWF(;QZ}nfvgweQP)ehDPC|9J~Hm0rkn-(0rgEC#N__wYBIz0o#gYNypX z&Kz+GQL~BXIw3$2Xs{O#G`Qe+06{2UP~>!JeI|MHdL3rtG3SDUr&dhl2Gd67Ir0_V zeT(@p-9<=b+oC;PCZ5GqUuGITQK)3%8Xe=V2u_JqLEVv+|A;ftGGo+`z*(j&abO*t5I- z8a|?$Q$r8=YY4=*Erzs>UOe|QVTmdZbYb7@`%XKt3;^gz4|JQri<&JQq>T8~&PPa? zEa+G6o;*=+PvR6x#7(KMYz0|gC5e)*@}?oau$3s z>B_vZ=Wv$9UKOa9Zh^V)Xh9jrFY~zn+&J@vTYGqS^XL3tqTI(tpfmbAeDkLePN5|O zYJN2UI!?ev*jbWCxisv6Y^wZ;X|;XrfVAi*J;MsgdY>jrJs(#tYL)+fnJscCD~<`T zdIFSS_xDP$7S(ND`Yswl~lu@t;}#mEN_sJ86cvjQg~FodAT5+G{PXUE7y zcp1L!OVYc}bFNdq0`Rxbi-`ttZl?C%MVAT#T$>YtOX)rKdFodm`Hj``h>?EB>uX~fXD-Ea-s!&wx)1}=XJ~6=&%#aDh_gv(=Mn7dJ!YK_`zz}OC!mF#x@HD^he>T}q4vQ{awtMh{+P4TAdvn2!aUZ>?Y z7SoH{zQy%k;`GJNW{mi{np}T*zBPGP#kyx31RRr%W0I76(n^5iV|y%Rij&KR)O1VJ zGs#lSqMT8<+__y@)cE(Is9za}Oie-DNRLjsu<-@u^$BDG)7JUOUkjZ_cHZ~cjDK~> z#I2vRs0|7_etmRvQ?02&YKe2R>$4Y|kpsd)4I^5z*<>12rlvT@DMr|eYEvv3P^Wsn z(I(cG7iuPWhpX3UP>1FjN7mOb$(KHK$2zv$j<5G+klow&)zBu^POmw^4wlr)56$Js zEl^N>filDILWpf(8gdhC*Kc~S=AK2thX_tL&hIjIqJwM;WmwiudAko zPnENk;bj@@;yahf&g6ysl6dPF^)iCL=WPB#k9!kwwNI5^QYUR zDIxtEjrV+;OslMb_x0D&&va_Am*=+zy9%)0=j!M5E<-%-VCzHeb>PG5A>$vsN#`#adY~r>bEEB<#h*v{+9rq@zKiWG1&Nm2(~2?kd_mdc$GQw4#ZowFG+I z)97l9@D0uq4VoYh-v#f9sZGCYN64XBetN0Vhr@9lPt}5EJ#Da3tlnj;8I(chbb%QG z>y>o5nY|3ycaEF4o^5o)TL&^P9o63;d!#YDd#;Y`;9vwx(a&;PBr~1yA7dEL7)kFP zLs!vX`aLb>hsV^vXdqZT-TK@OLDmjNM=2>gA9`80ZnbRU6*l^t>t?;Lorn@I-wkDF zd7wDoa*{rGs#ZeB&>C^<0pe6kd1mLjH!#LMe8v<(K<5{0I5lBhMstGV0)TaIfbn21U?yv(hM$#Xs$?9@uW(Q8i35s=aaey|o>eY0Te*Ff%fBquRyc04nVb5)~sQ0gVP_+xP^RuLoi z-=FJaBFwef^ax<@Cls!9Y~Jy|?`-$7PR}Yax9+-%wW>92u*ZS&^p*hmGrbF8KewES z4qSy{Z}CbF@L{|7K>I0&=tW8fE-pp%CDA7v`0_PZuj@~^ZvU*AgCgwO=7?Pai?&F~ znvvt5+-iP$+dj1$>N7{+JvUzhLQ}oq_=$S*@Mns_kz5^|x%f+_yT^C*CnhYoceN@D zc6-2yhPfxC3?lIv3JdB#%X#36wM8UXsp$vWjBL*8!>6oSiQ*Bu1#YVw4%O?)9v=5C zj_9^ee{D5eZt%7jdGO(Va==;C$;Wb$2sgE-9FATb{y$<_FHL5!%4Yf9FouE!tAfoi zrex$jrFO2t1K*yNuBVq^S|hHYd!Z?V6)?i1QL`J+SX96O8*FoQUc( z-tmN>xadJd*iZ84jCK_o|BPQ`z7?O`AK392&KXC-DYCef*&*ZteQxF)76gO{y##qX zwXq>Yr~FIbhKP+Wd3bLq_d5&b<0*jL*p<>L$g|!sZAop{Z{&}rOyowyJHP!Fok1+FY6@1_SM)F_jjTwdWGGnk`6&zh-fccL20Et)fe z#xDAcUoyu#-tU{@(=lW#5ub7o=ftbtf6r@tE?6-4`*zjbt$OoVEm~@1$*YI+u`kXq zZkj4%{n4wVs|?GFV)+rb)Mt+1p?($X%W9ZtLeoG>1g+QTIl|l|d*LSRt%oCF|B2F9 zI^-W4dznY&snl6O+O4$>uumh;RQA)$p}mGz@>0f}Oo>zXY};8UtO|`p#@rRM`pSEZRC+NOEmr^#DO)!~E)~P;9J`8HY zJfMNWfU1jo5;MBWo)VETCGz7kw<7wiJPS(8s+f=Oj-8YUqz(k@RK^jNBnV<@PzU@g$SU1m z6cE3$wIKgEl)t26#w1D(Cml<>+>y^#-Xxn{FaX$LXCV*9{Lu%pE^4KiDxvy}Bu79i zN+81TV`bD&skdKA8DXWvvGNcEWNj;Wx5DSmk_yF}rKaF1ze~U&lo{d86|m8zBw+y3 z67B6{S7&gyjtgk7k9}OFElPRMnKhmp<}}=HFyc9QDv%qJzD*N&-LtPGkOzj*#IAwU z2?_)t+_%Fv@)AgVo(<9@5Sgh6vyJ(cLH<2ZY3K*RmE-|RKwx&?|wZxmb8N0EO%I*raY!6W@Z))%5azhQVRZV51oS8{Z zMu1u-B81h@fg|s944@RX3knsvuyK%tpY+%Wl_}U zxylb>SxLObs0`(IY83BLjmxcFB3~(khB>)X%PASym}}%cjbQ5nzP=Abhv_c;wj_zF z%3zL4Z^f4Y$9(_L4vt^lcicB4%P|2eX&r_Sjm!cy7C@snjsG(1>y8Jn6O|&kD?Vz_ zQj5n4SQxPbc-?vLJk%h$*v+(q#a#9WvN^H0N#xu;kV)YnF<;h51uflCV(Yvy#<0M> z4xezi=tJB5c#0cu1cEYgD>&oGm(JgUL4)7~v2Y0rOy{xm!K2N==VD`$+f}IDKsl0? z1vb*luy2g*?VO33yxlM@l0@_L}14W68s1^cG$LgNWjpZgrYM zxsH$GYy*!uGExr5UZsZzw;T+sooxB>5e z?{4TP458$KrL^NUjX}WfDB(6oO~5B4$lq<(`MuAtaah{z9=ue!xoTzr6iMkfyv~Vw zu#|dVbRj2kB55!cWURnFOEC#qY9gWE&hMp!)QXR3TzyAzl7fnDAmdOlOUT)8pRuC^ z#fe}~Hp9Vd5!ES!ZJzE>gP2pj6gZkN@@E(b`oNkm5v^Gy@;@i3RQFd_ND@d5G>_4| z?RTQM%SL?DLi{xk z)+%~8mSt0}z5j-gl63;9-!VME7t3{#;FqyS;38~#PnN7ME6w)^FwS&?kVV&m7EK4k z95>DFD7HcWhc9{Bc79cK`$&+cl2tb&^c7v4qE)AvZf(bD^rG#!rQ5q@(?MOyL;jG) zb0$*HDJvMhBKe2`YW6ajDgj0SVA@23sM0{Di_%5mhOJB`9RwwK4SOtKETlM(Eo*ob0=lQ{b(!2xT}eWl4`c3E-3-X(xr4 z%=kA$Tg?=zh3u9B)~^O1nN*Fql$#sjud{ZBy|U^}2%8+_lofE6ha14b(>RjPC%iWk zoJ}9th}z2oFB4}VYU&SV%7qKlql|o!bdaUnQCgrUaj&5(jBhAImF>+ET&NeMOqE$o z&$|tTaZ_#=0#RE&h@n~0C2O$;tke2K51V24?Rq;hSp?{_V})CC=? z7qSJ*m~Y8}lrud3&qe$%vGu$tJvwo(L_Lu$LS*61?d(4C?atw<^w)~uP<~E;xy1dS zn5N|>rgYK6sGX~0Xe*21*b+6EVp5o5u$|!^b|DJ;qv%P`s`cED1<=X#pj@h_nlYJjyDUOj{c;*2Ni3~b>AD}ik-je}mI%qq56tntL&L3#O zww1S~)YtQ?MF{LBa(AzuQMbj(mDp~7<4IxLt;(aulD)iIaqH6(6%^+-E5NDy8PLLm z*=sH$TZ=g#d{QuyTg`z~jdJI_q}c}QK_%ZayQ0Su*7@)r;s)iZek%s* zm=jD|kxb`bU0i>Aw-9GqV4-eGNCed%Kd}X!`e&oESa^DreaM&=vNQ+Xz;IrVf?EC4 zVYY@r!On+ILl>+rPhc{;&x;nidblCqL~zVh1S&rSQiF3~;9!NN`85OC)z3Bf{_$iF zA4jGyInu(Sem>$)t#fu&2wA5hWklGNqw{KZua0Fi?MPYZc?O_;-+WNL^tPl7>^z-_ z`u*L@3!Ta>U@3L~XI#OG3jE^$Bo{HROJok4-1GK3eUc2h3LJIBn=YJp+5lHZ((~}V zcLp_9pz2)CR&NkVkH(`YCMLtt^NSd&lDI%<_b~!Bt6GZ=ww*!5p8^A5R*aFSS|YB&o(D?8T^XoXA;&iRxmI-s8GL!p{XR9&4A zmFbV^m~VcIz}Ly7KBPT5{JMF>bM}-j^`pV7c4U3S?f)ScGJNCp+*^|vZ^wNx?Tp&&2&6(ap(Mq7phEeen!eF6e4u<_3gM7g2eTL29ka!CXhQbxs$Q`rZq1(MYz_cQ7MrXs~aCTS_+;p$n~#&e~Wf< zbyf12sqLoeJUZ1HQeOT;4qwYqQg2MSt=>y{nOm3#7(_C$(c@aUYlCll=DPrzX&~%? zqUfwjHc70-^~C2S%`sg!rPZ-25pM!8PQe`kb*Tmm5g$V?nhCIPoOzV|2I7ftIIDWvaS0zJD75emK}ZA89Y~;c#3U2{}qx z%%lDM0=I&W&$Wl&N+yhxBPB~~n6KFGekmh`RLSO^JbcYzI!MVCS(1_}%cnwf zO~HsYFE@A3ddac^PE>i@>0v*&VH=-)yXZd;unT^PwfRA^g%w0iz97I@W{X9*Ydg1NO2$D?$>p#Fqw1?G`!|xV8_;npB0{P8;f0oC_Hvp_+(2IutahDonmh zpO$%It(y+gZY|ze0b*HTzeefTT5LsDvtjOB*d_!rcqCDhKRte*Bb)-1>xsvtjACyr zz^87IUF`0&rxe!TFb9TPY!F_FKdSb0hK|K<82M|lH+8A2w7fxVew^CzZ;g6QR)aT> zVat9(&sYi$5zQ(>0LC;&Fg@z`!bqm;+G1D2`tc=~a5Y|FUP$@^DBoDEqe^GNaegX9 zHz5fZe{OC@jx;NkDS0~I^^E7vOtR2ZO$Mt`h6l5{wemORepiBV`)8VTDrzcuWx^JL z#v0l%yLaFzfy!>qP`}53qr$s~UpowNEN_iNXKmGvkAC+D0`a)%2_5~06HfG&38;o)W!VswwU}|Q{)s1pg+geW zrzzIP!OsEM={*AI98jMBU^gs73b75hpGY?WkV;`aqjsSi-;vV9vf1qlafaFAw($N{ zHiq4DK0Q4>V!xbQrTF@TDFp#>TtuZAsF8$rKhrEeqPmmpw>%L~21$LeS6t9wzApfU z@eC^@&8m%|nMkFhgcJF=^f{2nUWxksnu=mOI4h%P2)h}_>AA$gQLP>LKe(_aZt^!*f#28=2)o2xi4IG(F$QohOrv@c zbUPsAas=qsJ~@2+m^N%o|0xD@ZS|GeMtayfLbtnnFFv&7Wgv-qu=*VDFZcKxtS84W zq8MKkdza39BR!!Jgh033i3PH&2ie4KbR6s0y?BHn)3S^`eAuBoD zytMxK1lGTmvuu-G!%#rHBc;1SRAW^+*Cm&IOKz;(G{`sOJRfi$VIq{G{|)vI1bbU> z1dA3n&-KQQK9jo2VAJoTvT+nTAT|``dRsudg6=6U4rM7&bACE~3#g-|h>^z=WH;Lp z4rClX6ZEx9UTCW1Dc8~Yi7nH&KpKXrZfRd;b!vK?R=FpZwCqO>#B^V@blWkr9{Va71nu)!!OV19)2qvlQM z!F1F;ZpGlIVYNZQ0A_vJ1cccUV?TX1_Pd}-9|7kGb|1V=x2WDK%T@iK_TDrc%J+>M zA8W!yB{XD7WnapYvQya-5m`foF?^9N#+tRVmgO5l+4t<(LrKaumSJomgzO9k zcl>^D|HuE$b3A&Z;h1~w`?}8STt4ULa}E^!V;gqk1(HZ%tjR)T^IDgoTPuy`YN3dA z?fxF;6Vd_g-LJ;v)YT4V_RAajasOT^uWj6yZJ?e{AKw9|d1bvvrg-&OcNAYaC2*gX zk>QI2SNb`E{8ry3iL^z%ZS3)=mUG0ZFe zrMCT4tI&3Q!TQh-HQ-%#C%#bXlB8-^AYuN`0sR560n;FMqkJ+gut%xvBr!+dmG8uq zHIQ(ZEUs#9XO?HBU8Ip?jc_4Gpw~9lW^6u})N|Yz?ZkGyJvq~1^UN7XcWJ%Ycc-v% zvJN}nqq$igB=+uc(Q|@$tgP zP2H8$8#-0ZpH6*yO0DW2Ip}Qou0W7a2tH^kCOVOXkK0Pw??0^`cS9&ceCtPuVeTnv zl?H1)j{m`*{M-8q&OZLpfXfd@A#SyR6<`8#wgUUKet zPl-sYR7(oOlH^*t5_Mp@Tjc$Q&7LOf2{tH}Gx8R*qoV^U zAyC%6ZryrUHj!`k-RnKNafh$LzXGUL8zY^qZ}eq2U(eg@Bou5a4|||}aPrzecubtj z4Fed+RWM52?AngEh#7KqM!n^==|5fD*Tu;V0hliWIC;>&3m2U#CMyl z!%k>$N-56h-Fa`-+GQq3xzE&iAA|=tC_DhyFl?~*J0Y0PPrB4o15yi-Z1n3!!CC=g zY`q}gB~Vc{$}33{)%L;0YQK5QNJ3eFV5`NsK`r}xA%NZXS$pCk{w^q3~m{*M8U zN##epjarf-tVPn{KNXrNgr`#m#cFPTs&+j&kB$^Hny{ajbFumKt0J^wbTVv35S(~P z8*GRDvj$>batVUPwjfDdh4ZCF&bQFxcZPDy1SoU3mt$BM6%88dnpRG^$H?nE7F(S{zD|k1N-kqbYys z>?r%PnHo35g<8ENrTPYDhV{sWmh?*nabngmE8!Pq2CJkkygq%dn^_yUG9<1IJ1_2^ z&KM@Gf_iVM+9}*no!y#Yr{)Tp-lw?(ZK6r~t|oxXmTxm_*5CI5C;bBfg3K%Z4aV!z1TU7B2$$ zjOz2b8NJ0%hi9-2J5mSAXN*hW~=wy|spW2govAE(tIN z%XBk;S3!ORj*ymC1ce?d27C5?pa}B z_VZp!?SH5)EIfN*eM=~|lrB<62(0su)Puthgn4E8uy6{%F@l;FBpVfl^HV%eX{0ib ziM?1{2px-DoVk3o2i zC%2XRu&Pk|3m9mRB9eLvDbi21RYkbn->wDuiHOJ{o))iH^x*VO$3_pJWUO%cOqWJQ zo@;Yyp1Lbg969j;#y0~}Q-dJ|Uu{YMIhA&H;KT@xAuoH$SB=jKav^Peab?-h0M`kn z#s7j$$N`S22SuCXzaXvIx>n;3a%!0CAMrKpCk8_*=63;5!Kkt;K?c;V>u0_Sbk|U< zk{2E5AK8L)6mb2%pB*Fi!v~62rOV@US9Qeldh;JIjrGYIuXP2;JQ5eWEt5xpGb7=^ zx@;F$K2H_wl(9}PejALO3WQeE%;E5a3uQ>9xHFk=mAiiECw=^u>TPaWicreMdpDg` z8Vhb+1>|)Y-()olfqhw1@c5Yise7undO6A;F73TmkE3PvQ(0ijIi7B)y~S0aP=M3K z<6q4X5|k;gxY}+giS%i;uerUCkoo7wjNNGdBVekjqlakV9YGVKi!tbd*|}sdF7u>JdKz=P*I8n^bYs*OYkB3(w|L|p0LC&!Y{k1OgC~j>uv~DA1I)zN#RRemK?Rr2h}mQWk5rUEwnWT13me`c zUMhp`*FlkGndRpHh3S~a4{kYNqG?}#a;s>;<#^L5E^3-Tzfc}W%RtJT<(j4!OndIY zf{(rLnSlZa*P&SzLLD1WrcjvBP;KBX74SM&mL~60GMJn+L}zNAhMDi9dzAP40)-fCA9VdXTa?`GyJ=Etg!pwe7m-vdjS zwMmt5!#0|khg|y(T8RtQOaGm4h4i$?aevzN>ljx_tu)nA+(vGv*ndS@W25Sckf6g) zSw)SyewMom(#MB=bK-Xyt`2Bc#Wwvz>JYN@+8TQ+O+CfC$?$h)#|TTn9_UjLDT_hI ztH0joSNT;Z@rJnALn^DDX#jYLRtwGv6^zJZBk_@Br)_};w?%3Ji-f2VNV7Vg=Cqvh zALIMoXF*CqyUGQ~sFJKn{vk)O>hY;5} zd|K0``sUtSzBY6>Xn^kwPuf55^;TYX>%r|r5Lv}9OmxZ(`YNehq~%T17zcrYtbX(* zgK^a)-alk~uz|sc$Ma)aXmvk)HwoBxzSngyPBM&M?SA|onxn?;st*dN2fHN2{0?rn zYSXeYI7H5OsMf~*9OF+QmYwt&Bt}zWrI^Ov1W`Yqo3Go+;VHPTdfh$Y(rOw5kw@Hb z*cb4xx(jtQOem=Qjb&?^XV@Ip)`0hR)PY-vv4b-@R;%M%9{E;@f5$N5%!Ab9do#{t zax)(+(iYpO{bEj9A@yp?ph0co7hng>x1Xc;8C@A|&1B#=J9oB@1rXF{CICToH!cNb ze~t~}rUEW^Wfa-B481q+RA%^taE5jr|1de{A6O39V>89@|F+5d zW&RsK6Y_+gK@{W-=T!5Jmo5?4nfC2DL;4*W=HK$XEQ^0WjKffA>+=QWoG3HZ?zw|= z03@el$E-&P4~Op(AkxeGB9j`^6RFZ<ZL414pubBn>WX$^4$O!Y*@47OR#g`E=J!N<4YTR#1ZyE#iP>|KS z7xa~rs5L$vyg#h}p+8kx726Jo*N+EwW+OT`$}67i&yQiI zG`|GRXhxoghQC0J0)zJy7?YmO+Imq+x>Lja+h3idSu9#^gt4W%ntKCG|4PVW5506q zW)jJsw24%#+pyC~oy-%vwY8M;FJt9?JzF6w^8&d7e#XfVJx0KD*SYO%ek_Bg68_OL z0`M)&TCYg(=SNR%>I&wkg%M@-v9xpa^5)myJ9)BH>uJ+ zwF8=W6AQ!D07n$$(`y$Q-ur&j+kG!W0*P%Qid%);c1DW5F(NDZ9X#7|yToPv2Ai>% zD1|(MU4Ork&U0er^Ic}8kXygo22;^s?U9lVtt3&8Nku>z<1+Pu;?eeM=%6!zCd-h5 zD+3d_U_qgTYmTLDC65|O(&^JE0f?O14|Rhe1mz`V|BGAImOKkMBOq9xc zb(+_5WhTY$tccxR)D-P6xjmOhib}KS{dLnR6dZ%%wT367h1eT&$W-4(%urIz(w;>) zt$Zf)EsE8?^MQu~r6+ri^mURt2fnEniz_NZ;&TzL=;%EWo&qU=&@ zZCQ80)YlM(D?Ah&Ldga-oV&!B2R-s}_ib2WiM0(|mgG8Y1xm%zVw^BVVE zIuPPEj;2dKe6}gg2*LCf=8;x3T)PakaPdxW$~oNv2NLEsvbHp-7j{4HQ!{EFUCb-i~U56l)IE61IZyFIjRmdP=LYFDbvh7$$ugQ}}|xGS!PW zP+~u`%4xr@vR67PuEStvq9zX~iLpukEnubIbgr`9Ir&)%lH_ei2hw*(#EUwxHxGV6 zT;6#5*wkKCtgX#}Da#FNQ_uxa|Nieu@v8-!N#B!oMxB{thb0BiOaYP)$_f9duVxWb zCB&`&s<7Y|Re$fdigTz^dMzzPx}5E_ zH7I7=uP=2n?tuL-agZhdXt|}*YYC5d4xUv~agl7-$v=+T#Jf zWCqm}vpl&j$vxW@R}-=PM!w8T)LXH1KH0)Btq8Gn;?{(uz#hCgOCpMaUNvCn8!Ady zZEQ3D+xg(QZdiBUnKK?5=t|$;OIWLR~?=h%s->`O5O=MnZ*-H)>_Zao1pl_ai2qoR8KDu4Y(>YfV>NjKu# zDQFPID~xh!?~Av&F?W#i_UR7S+|H_-EiLr0$CY4AdUF!RY#JPPzSLuie3z934fM@g z!s19$e0j8gSm2Z51a`IWY;kQjjp-KcS(u`W6t1D%crZ)b-BnW|0C636Y?j-2|0_?X z7>)hdsXo8Ul#=^>L$A8N?YQrSO`^$US#Iw)bzC0Uw(AE3T)=78hPE%zff15}k_|dr zxsrRU*|W_4EA3?bQ^Qju+@&Mo;=R~(6nBvP^U?DzB4AQY!58=XjYy~Q?S<&88P0Bi zynI7+$J4s_7~H#GypqZEF}LenTGFzTswvAYQxrHc_byRIQ?3awdc)To?4LPX$Lx<~ zNJR9iIeiFTCvIDZ3GZ*Ck0}(sF?ua-g90#%+`i>EzjkIcI$sf`g_;!?-nI20c~K_e zyYe;8&ijPxo1SeAl+ofwY+-?ty)Ke5v4UC%Bo!NLrngwvIvQx9jhYjJOGpsj4;_fZ zOc98N<=xrt(0*6@&=97+f1WJu?9VF?)}IBV3=$LwvOVR|^)rQq;VUU9>`hU%rT7$L z?{NOvi%ag$h2NA~4nB{Kwl1o}zj(61)DY@ChISKs(aZJ<-!o^8wOTT5pIaRj->Ru0 zp0Cl1lwLg-Z9P-J^qU!I&;%AnG>hsgxD(oiJvVK-n@?tJw!0*!%#I|spSsQUa0p+1 znYez%VMkLV{q4%i*6a=Eg(}>QB7ClKAEc)U97`DPG6dG+z0d{ zzng}eE+e!T3e*i#c1>v~QbMOFMoLJbMvpfi{Jty~7~v28U0VqOoQwuNC~g_a4LFNuZVoCTyO(U|TdQ zU3nz&K7B)~Q05^n5o=(3YOq9;OszVY4w&PT>(W>(_BQ4_W~NV_<;6%FNU?qnK@-D3 z74i`yVpmGefsZ9UiFA}Xce9>r*QmaelGZmSopT3>1!suHfVwHFhV2KbFSGlwgfQwM zUoHcyihnx$p4nZmdJ;pI6Bp_hUFtzhdubzKnq%Ih#}Xw`Twe~x~mpVHnRxb3z zBtH2`A+`Ob9FMmz8$*O;n01T23?NcK=MX7Htkzd?l?CoT!vN2%CK(w6me#keILnrX z4auZsWgJ;zo+I(av^7h7OR@|CP$v8c+rnHC9y6xkK>+d-PkENbJKG)zekekO;cO5y z*yhIU;xHZ7T%;Ve7o5pPt+B*Do1lt{TBIGT^R@#aXYs@`C4s>Gg4qH-TRT<@1pmPd8ucD9}xjTN* zX=a9ap~HJ@aIjpTd=?D}JKd5Id)`IH4O^du6IMlw)(zZ&3u-A!*(m&t5Net^=THtp z_Y*+mYw^AIj(O>BxDfnRB>Nb^v;i$@>@HHL^SKR6k9NN^{{})^>GShP-T})NEv%lW zZP-phV8)2wE86H22d= z$8o`!c};~l21cI8sodf>$~Jw9JVrEQ;|iMr4X@?rGmEsd8Jigl}#iRHb=)f6Gi$_o>9O)o@?+ z0v;Ks?(d<)xjAeoE%h4r4UjEw)IYJZ$4ZsA0k|Fl)Xz%To4gJ>1B`u66?Opg z@&xwEI|GeXPX*)eJh57~%S-X*VCbyg^gkRGVyVdy??Pnpv4wrW_N}r1P>W2dR^MS9 z-pKfOKc}kuH^u`YTEj(iHeI9-DkV<8`Sx(56a`p#;?dkl5!rGTKo>?!u#Vkc3YkTl z0IhfFUN3F9rKX#ZJr34dUm`=Wl4`BTB#-phO~$8q=Uf)x-IGMM&+Tpep6Pdx{Nd~S zK2Y;Sr*HkTO_iYe2U3ADLOiK>I)l_c&s9cdffV_ePivE z@!c{?0GSqfT%b6u&2qaGV2QDXRr3znM8m9dldZmFf#n<9$tG)>P*V37x#UbI>F70l z4+NVO4jXwQDq~u1M!mtw^PM9{PM6CV11%4IV#Ssh z#IiWlCi8@e*}Y!;o{}Ix&`>u-`?BuXK+iIvx-h=<3lo~Xr|8^jN_0ebT1n%2G*^f< zoE>LyLf}m#9;x%rVw#RThq%-SdiQjtgGJx^Cj3^h$zUbbig6?gG4XGe`jwNob-^8#+(( zl-1pfP-@Y0Yw@1g?XVSZlvm4Ey-2ImmpWH(olq<6BBngHz9HGpo@Ig1mZo8J zzlCOgA8=7%s|SOupyzbCzkXoQ!4LU4QL9vBv*l4Z>eXLB6BSO=kywaKRnxXnbIdI% z`GI-!xk1U<7S>Iw7!8V$yXlPtG0T()+3gby_X5PT!!Zb7i)R}J<*{-^Meq?nKmUoA zS|Xr?1A;EN4FghNrqiB+_g-wJ+bPK?3im0roGxZ;znP2VW~`xnvWd>F2or1@KcW7n zxB#sIT_Xr;4ukWjf=u-R^(Ki&C20B%SDr~XC(JwSCi>N)pWL;U1|o)p&w#FuN_bDx zj%=riY=ICI*xb~h_&!8a^f(VY!0Q;aK~1=|JiKj4(^?KRkKfNH6~)&#xu zt+CQE@M%){a<3gZq5$+fe+L#IGRD!I^mCl>9Hs?=Ite}af8)+J(R-qWg7h*2E*a}? z6;L&M62@mg6}c2{QnR;r>c5^Mhatz`zvb>HXym6KWCE#r7$3EE_9k|R_fZRuZ^bi5jP^Jnrtl92IA3*B&uwx(OsR9#tf^weMrkucn z6-7WGIJibCN`=W!ZE#~Qcq`hG6Qq9}f0rO8I3!3uJILy|GL^rUeG~iC&W$CX_3c~T z1-mPC#mKz(r(q%7L2~tb?7oa>{8kNU{&X?_ee*?f#d2{Yo(Z5CTNt^IBIDE8n*5QT znMdL7&71lwZof#=I-myT$OC+Q>1OFq(PC6(CwTr;Cn`T^1HhD6_-Xg=yOVbMjC>hl z`J;B>%%DFou{*k#emqd^6j4%ab7bE}z@+e;|3meFn%TkyMGhG2^H{m+s}=T}?zh3E zivM0p7$E(Q#q?CMS_nOd>Bf00lHcBq4ed<`tiL;aaU)u5TPJh+PsE7NbJlwysh=IQEjQ27mUU^ zSHC`5_M=dkf?=d$0abDd*b9vCs)=3BaB>V3Cg8gzV8DaJU<2yaMxKZXtntT2NWL2= zcY=dL9+JBGJ&wh{>VFP$KB96^u?;oA;0o`1vym;k9YAA$l?T5=rb*jk3uD1~z`pmC z!z^!u@d=kWlo~K>d<)!s!rqyXYAW?tpge3KWvQUr1e!n2L;j~}>qn;2Tw-`mGRnmy zT`QpC-&G*8Z1I`!!??cn&LIF5r$0TFhB@ddg3Yi5TPs?>HzN0f$#m7718m5lali=0 zU}&x#j|b%PE`rSRMZ|00q#y*3DPnbrKEa%wH_A+|?+&$pdZz?WHQ=$8tXlwcn?ILo zkilU_P5uvVq7*Cy&%tCTu*f9q;xfBV{Zxw1^FWUS>7hRmaNC1e)>_c)9Yl;io|ox= z|1}mU<1Tz)w4I-;O6ez8)M;HL5P{)#7H((3QmgES>M!lkszie8-aK@tTA2(mReKIz zdc`$W_wSm56gYl9NKD(_-{WI@2e0Fu!J$VzO63pwnPt;&^?})x%2UBUZ>9*#BGlvd zD)S-0DfM8YDY)thMT8-c5QH$DO|WOoh$9_OX;Yu~=s?S*n`Av3(A);IN$~9L58G*w z%v%=4^SVniu$!?@ea4Jj(Ywoklm>SXk2Y(%SeX}4hKB+n^hcO;Ba$~eT+A=|DF5zyzC1&sySSo0F6hR1s`Gs{q9tLr=RY z(EG8fH%3B-T6%kd4hcPS!eKKabpo?&XBz{i_{2hu#3(tW)*ilwt&Qz#CE#7n@GfMy zgdthZ{Cu%@PkPqa?fb4i{u+cnk&6W|0q_5%rp4rJR=BKiFx%7`C5P|>uN+YtUz=U% z699=E{DArKsk-0MEI5_Z$PuK_8dAqXO`CT$qAW$NfE?kr+U&zu0ZiNpQvb?+fhLgt zvBfRC@2U1lCYzhVoJiKr&KZOFOtC})^0EyU44c6~@xpp_S zfG*b479hDz*XmnG>P!Sjnj+=;{97WYU*bo$MfW9zQbx=>yTve3PSj8HJyxQDK7IBw zkWQh7k1H$uxnj0&}P2zqVcWz{0F@RQIL;g^ zai{;}llJ;Iu8xzq7NlHi0jSGPxL=#r1st;|8095sr5q1*fnawYo0(vPO;2DlrE;~YZOPCN%`t7xv{(2=vj*s*)I1bRX$D=1bjy>N+X;y`L5`F_3XpLy1ip~!ykMs>0_ zjpj@I0GNX{m<*tC#x7cI(bgC9Ql(s~;T*hFkJm$ccIp>pDCtVr{U(M$nj!GB*nS7M z<*~%M3?3bPM<)lk3BYl$0J-mPeK0m|aM=@)tzjMoCMhBl{BgZ%QIx&$f~IFpm%MMw z1uGRhfQckoz4y9q+fyL-(>G%nwp4cb3Xb1XqGs3#dd|3eh4$UqK&w}aZYdE=n}jOB zvwfrx)ysJ0clPPhFD@4vyn0zlf8MiQ9atko{GMmu0X6uTtFpsOAsd(3 zk~CF^2FyM~+3XjlK?)Os<}K$J#CfnlR5fxOT5><7Luyi2s@eiaPCJLHQW?_E8xvS> zrh>5PM60VHntZ1R%Lg3^)nM)pSrbAwI|SpyN1=!r{s&&epdxSsZPhu~!Dz zTKaXK_KdsqsplQ=aMOjo!9E@|FkayN9{kD2VASW~eVLQM}>W|k!m=)>1XdK-^8f``h{4$pV zUx~K;TWyD*LJ9DCXhNWmfoT*>{p=C`buje`0NEAoHH&RFme~E-r$3f8z(}a+?{lHI zVkjkKc=VjJjlt<^7r_Q&3ah<l5M<((2^cBQJ5}5&z%vh<*ogyzDr~UncaY9yu@D{IC7?kD{*8J zM2b}AzR{#J2 literal 0 HcmV?d00001