From b5cdf98158932b245db302dc0fd3c82dee437f7b Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 25 Jan 2017 04:24:09 +0000
Subject: [PATCH] [rt] genpatch.py: Verify tag and tarball signatures

---
 debian/bin/git-tag-gpg-wrapper             |   2 +-
 debian/changelog                           |   1 +
 debian/patches/features/all/rt/genpatch.py |  41 ++++++++++++++++++---
 debian/source/include-binaries             |   1 +
 debian/upstream/rt-signing-key.pgp         | Bin 0 -> 13892 bytes
 5 files changed, 38 insertions(+), 7 deletions(-)
 create mode 100644 debian/upstream/rt-signing-key.pgp

diff --git a/debian/bin/git-tag-gpg-wrapper b/debian/bin/git-tag-gpg-wrapper
index 58e1750ee..9982b0140 100755
--- a/debian/bin/git-tag-gpg-wrapper
+++ b/debian/bin/git-tag-gpg-wrapper
@@ -30,4 +30,4 @@ while true; do
     esac
 done
 
-exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
+exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/${DEBIAN_KERNEL_KEYRING:-signing-key.pgp}" -- "$@"
diff --git a/debian/changelog b/debian/changelog
index feb3850fb..153220295 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -363,6 +363,7 @@ linux (4.9.5-1) UNRELEASED; urgency=medium
   * [arm64] video/fbdev: Change FB from module to built-in
   * [arm64,armhf] video/fbdev: Enable FB_EFI (Closes: #851778)
   * fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
+  * [rt] genpatch.py: Verify tag and tarball signatures
 
   [ Salvatore Bonaccorso ]
   * tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
diff --git a/debian/patches/features/all/rt/genpatch.py b/debian/patches/features/all/rt/genpatch.py
index 6253a4ece..eb3792d35 100755
--- a/debian/patches/features/all/rt/genpatch.py
+++ b/debian/patches/features/all/rt/genpatch.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-import errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
+import codecs, errno, io, os, os.path, re, shutil, subprocess, sys, tempfile
 
 def main(source, version=None):
     patch_dir = 'debian/patches'
@@ -44,13 +44,25 @@ def main(source, version=None):
         if os.path.isdir(os.path.join(source, '.git')):
             # Export rebased branch from stable-rt git as patch series
             up_ver = re.sub(r'-rt\d+$', '', version)
-            args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
             env = os.environ.copy()
             env['GIT_DIR'] = os.path.join(source, '.git')
-            child = subprocess.Popen(args,
-                                     cwd=os.path.join(patch_dir, rt_patch_dir),
-                                     env=env, stdout=subprocess.PIPE)
-            with io.open(child.stdout.fileno(), encoding='utf-8') as pipe:
+            env['DEBIAN_KERNEL_KEYRING'] = 'rt-signing-key.pgp'
+
+            # Validate tag signature
+            gpg_wrapper = os.path.join(os.getcwd(),
+                                       "debian/bin/git-tag-gpg-wrapper")
+            verify_proc = subprocess.Popen(['git',
+                                            '-c', 'gpg.program=%s' % gpg_wrapper,
+                                            'tag', '-v', 'v%s-rebase' % version],
+                                           env=env)
+            if verify_proc.wait():
+                raise RuntimeError("GPG tag verification failed")
+
+            args = ['git', 'format-patch', 'v%s..v%s-rebase' % (up_ver, version)]
+            format_proc = subprocess.Popen(args,
+                                           cwd=os.path.join(patch_dir, rt_patch_dir),
+                                           env=env, stdout=subprocess.PIPE)
+            with io.open(format_proc.stdout.fileno(), encoding='utf-8') as pipe:
                 for line in pipe:
                     name = line.strip('\n')
                     with open(os.path.join(patch_dir, rt_patch_dir, name)) as \
@@ -60,6 +72,7 @@ def main(source, version=None):
                         assert match
                         origin = 'https://git.kernel.org/cgit/linux/kernel/git/rt/linux-stable-rt.git/commit?id=%s' % match.group(1)
                         add_patch(name, source_patch, origin)
+
         else:
             # Get version and upstream version
             if version is None:
@@ -70,6 +83,22 @@ def main(source, version=None):
             assert match, 'could not parse version string'
             up_ver = match.group(1)
 
+            # Expect an accompanying signature, and validate it
+            source_sig = re.sub(r'.[gx]z$', '.sign', source)
+            unxz_proc = subprocess.Popen(['xzcat', source],
+                                         stdout=subprocess.PIPE)
+            verify_output = subprocess.check_output(
+                ['gpgv', '--status-fd', '1',
+                 '--keyring', 'debian/upstream/rt-signing-key.pgp',
+                 '--ignore-time-conflict', source_sig, '-'],
+                stdin=unxz_proc.stdout)
+            if unxz_proc.wait() or \
+               not re.search(r'^\[GNUPG:\]\s+VALIDSIG\s',
+                             codecs.decode(verify_output),
+                             re.MULTILINE):
+                os.write(2, verify_output) # bytes not str!
+                raise RuntimeError("GPG signature verification failed")
+
             temp_dir = tempfile.mkdtemp(prefix='rt-genpatch', dir='debian')
             try:
                 # Unpack tarball
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index a61050820..f9b965374 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -1 +1,2 @@
+debian/upstream/rt-signing-key.pgp
 debian/upstream/signing-key.pgp
diff --git a/debian/upstream/rt-signing-key.pgp b/debian/upstream/rt-signing-key.pgp
new file mode 100644
index 0000000000000000000000000000000000000000..f55b064cf1efb2bc315c35a988844c9958ed5653
GIT binary patch
literal 13892
zcma)?1yE$mvaTC<cXxMp8=S!%26q|U-Q5}79R`QN-QAtR-QE2%d*6M}IWOYA_bQ@S
zS661O=%~o`RsLBE000mI0Re!&eo;38d^Yt^(yl+BKmETOOcyZFU%hAm00tib48S!a
z6HENKEEO>s!`k;qIz*?Ayqo^?ApFaVd0=LEFwvZGhE^JIeJD>EU#9&z&ij`Q@Hrdy
z^OE!Vi|OwXFu2cemcRNS0ML(rYk%ASzW(!%Qi0(>Wz)}NfDi%wSFpZ`X9Z~%(Nz$R
z<KH$Kq?PckI3<D$+HVHl(&aJd&yMe?6qtvgGhROMR3Z!cU=IMPH|u8p37w(o)whDu
zU2%4O5{~R0U(~p=R@-LMWE){x@2tFm<11#J2L=T?_ugxySn9B-l73lv@b9n6+H(9j
zpyUzaDe00mv#zpy1*tSO%Eb(Io;Wd#vVt_ukN1Y}bzJTPRgakD=x0(?$m%vh8PanA
zV!4j%FXk}&UX{0&5+oR4yGQ8;+GMA0CQl0q^h5IX7j-K{?>+c)ny&D)C(j<1S{y+G
zq+Mq`ZYx@Cb~sd$FTym4m5U-<5dQRLPpHf!%M&u$70({!!qln-cwJ<zs$n8nsQZTm
zDYbqTU%hwDESm_Btwz%kpnBefMglIN*^cg8RKGR23{t5Xu7j@8x0dC{_eXpj%-<P%
zxL2=EOx6SAYkpJW9`eaq6j(2=$PJdsT-#B0x>6p>@PzYj!fq`P`=$Zj;&4Z6Rv5^V
zT&#DVjlb+_h)gsMqwEIk0tCZY4{H}1yfW3d$8`#Oi`{6x>z4wT1&)^Q^fW+UUK!wc
z84z_#Bp3TK36PV<!W|()S0kCU(VYG48c2K<>^eV@>#5t@ZcWvH11Zv4F3+yurKNl+
z=ro9UtMhFWv)bW<g(e~ur0kK<J-o5;Xrf1b<nS{t1|R_efa;i(j1BZ19L@Eu35BeU
z?A?tm2$jr@UCeFl33(07O^x*(+yuXyTRS=0+gO{s(i<7`hXHedq5wexh`@kl(=V8T
zaX`RepdcYYz|f$fAYs7JK|Z4$7#|22!xsPzh4@c+KRhA=Vune?LcnJYe_~Ygt$!Cu
zI5+USex)|L!Cc^MgtWftAU6{T4Qhb4d<;cIcS$jPR1;?hf(Nabm%U5<0@!)46x(`H
z)*T;%rS$am-dI!T<g#HKiFVusBQ-gT#Ub3YAF2-x&;_r=`vwfcu7_9<Zm2gkk3Av8
z`JuDdqbGbC^&(>8T~emrmBtda+7&cIpc5-(vK%Jq>x<IYP+7HEKTP7vEK|+3wk<;F
zrZPK_F;pPPyIK5R)gOvT??qN<htFd;arV2McE6lLHCT<ZH$nZ-gmaeaT6?!O21(S3
z%Mu;48krO<pozb@|GTMZEf`!930;3&lhk6&M6^d+q24(q$`(!}Cug74fzsf#N-BqS
z3tyUmjGPlnvM3oO)>=#Z1se#6u0w7=8q&M>Q+=Yqv!1v=>B}>^0rT8P1%B!-G=IJO
z38G*#SzcZA)!ZnR{B>Dh%P-31Gg|*QA5MO0-v(Z7g{%wM6^MrVOJnUK!6!-qh0Y`$
zEA(K9;-yt1!=JFej$Q2cnOWxYlTk$n^UE=0cvy;KWSRC-I{+Uz;wju2Z0_GrX<FgM
z)-IF<+Fkvx`Zp!|DnIfFwoP?!zE=qF!{54SA(7`zmafVaezl{Z{uZh&jUkNIY2h`8
z+Qxy?1F~D&CZ|;q^Imo4&=8xl(k!VUdi*9B_Fl*Ge+f2+f8tQkz}{Hj($>b@+L7MS
z@IS-tJm&v1+!n78-g!etUXK6;@In-ws7VDLaX42hb;mA50ot9gs18f5{+LZ!?1o=v
zVA(@1&y6!JzYLEEfDnKO@H&+DbsNTpyOEy+GAu`Buwq1>V_^m;IL#We7z$wWmoIGl
z1rVgwC#-}feaud5JI*Q0rfgSD@}Q01w%qzh5m~{}Ajd|YgTo#56|yucINifKdoTu&
z+=ssX+R-PSh})~70c)*%4j0xRw-Q>lp(P*z(leq#42HGU@O})c;-6S0+pne@k(=0h
zgMvHz8CnVU+#)IweZL3JOni$8zOSxt%q?jc7J`)vp_)B<)_Zcr9SZKq8hA=Zng#sR
z(%oVjDv5^$!wOOmeo!mjN#E#JbbO>@Zpi2j*9019A&l#?8zG)PplM0B>BhVf>bp2S
zJb>X@G?;{$wn(8%^EnYxk4LT1!<D5x9~hjp1Ha$i1IJb&($EtebQ~^zlA{$9RP-05
z1bqoZ*FL6Vh@!xXfRl!HT2gq3C^}x~f!_|IX{Hm+3Tr!LcQ=NgOj2Wj&0GnzXQUG?
ziyr@!nK!B~)NKh)H@uXIa=M0lvaCKvJaR9bWWi=K_W^6>X;()X+OI^^z)c?}>}^Ie
zY3#L<?mRkJ<YA@tJw;K&JqzkB0aTpD;eHDkMB4&P-eCqJD%EO#xf^kI<iI;U>!end
z)7Wn?7irD^+Uw>rrKpn)(ApWS-<+(vT<WrK(>ln5b&ZMXi9F}lZB0)=wFmQsq_VRE
zs857)1+oMh(P4%RH2lUUaNduM;_Kc0$-eWQ7p1Gm>rBFJ3WIFZHTCX_BB+-08Kh*j
zJ)LhmvR!Nsp^GEKFNL1@kWHF1E`b<x9bpFdwflQAzh_jm!<E^lX03=0^IU0#chhsZ
z#(J&oT(g(Oon7&x#SD>ducHy4#R4PIq`GJ(A{Mu_ysIbfM)bV3;bl05U3Z?d{tkPK
zqa(&D+il;+ftzJYFPGW1Ku$;5p)Zhpt@+}f;TRD$wJq=s<A-HvBe$2fviriT+x$0+
zoDNvymp91QOEOtj)0+X3A<UIsQ4}f$*(p#gX^MLcMVNuB?wqDU4k)4&7fU|@Z8nO9
zBkH-YDMjW|ix|Qh=5)GNRK6rT%Z=vjP`#_G2q_lUkdN*`2C^uqNG1{9_v3?x+*ktn
z+^7M93zcrjGGU%_3)}RZQv}nQlj8ML9tC3_@iyyla}YvBzwZRXJhS_Jgu3;>g@-C^
zbBYqAT4yRzIfrZb%b+8fwYJuBT?5#i8|P|Kf%mPy>S}*I@LUj#M5fvIm+>Yd54^D5
z9SJKVVRfsAM6Q~WoQaHb%%Q&yPq~=2d@+i6CV#3!;Vc@tA^}LIo{iTHsMv?XJB2?s
za${fpwbz9K6M$lVZd_1*Hm*M;f&KRlsw4st(1_7!Y<<;&ZT5xXrrM7vsp;MPEoHon
z>1A_=iMgDLg#d`(3B`X0D7ZASZHg-)K;!azP2jdJJjC}lF}nv_Yl(_B_|_yt#z&SH
zvWi;`&7Bj?X<kZLB1+zj`wqG+ahmI?$y7g*7fFV~`F0y<op*4Q)J6ku87><kw-r=s
zE*&$4)@>#-J$Wtm=;JzMU2lcF9$&FCD%{5zn<JzPDmw}^S-+S@l^&z~Y}bw?t(mMu
zo5WK;DXE_DL-@4Gs);WfvuCpSb8Sm?F*N8bs#XPscB@p+ggbZLKGK#ocFL4rZNY{T
z+;`^hmgrcTFE^}u<ze?D;)jLa5X4rLJvRANv$KSrL2e_R^haI%-L|7u_Xp^x2+m#i
z2sZr=o7S>c>C;QUjtlPX?$e~NTSx*-MSVKbM#>4!DNK{VhWq5;ynoUPNFlKqTIGzE
zCWAq6Z|JFXuXv&(WZr^wk;9%(J~2jiunAucp>5&x-4-}~#6sf{b8vUwrXNyFFbYJU
zR}e4@r)-D}v7|l=$!WD(*tpE1uSajs?zo2FKj=r_kG*adIU3uik4v@%h{lW}RHN5r
z!ft!zSR9q9+wT)!M8{oVtw#j0yD~bdiu#OMSwu1_Ag@6!km)mK@YvGB?=10n+N^JI
zoca*b9r-9dp>`-Lt@OR7UnL;!TfsNiB-NC!jrrz47xUrf`#D6+QUU<fMt|q;Kso>b
z<uw2bfUC1y5YsOWO*}p2D}B=QeMM7s-QhFOCj66Yr`5=DIU!R}zia}t9mq<`*!_Z$
z{v7@*fA;}HdWF~>G;85LfhfR_dw|OXs{FL6|Cy%+0glz2%!{>lLuz3i((Q^eos9Z9
z?D)rq_iKsp=Pu0cDGVj^_EtopcS_SAO%VIX1_$98F{qw{5agM671`KkK44Y)XSn>&
zg~E%cn?lB2(G5KqM&f{cCp={N&%B{OwoAxzd6~7HO}Sq_x_Jff^sTg2ub;!ae{6!%
ze8^`YE@Y_jd#J<BVAmGQQKJCB-y-JI4D?5XfY^Ta{?;H+|EW9vO@jPK_s^aGX`g!J
z^Ns+(UwR~PCgW3&Ol{1rB}}~YKjs`nW>E?pa$Frw#@dqqh%Eo!U|Vzy-K`+6Qb|kK
z0w7C3Ls96uK^<7ldWbc+wmwgoQHwFOY6Ff6qv4d`qphv(tvwu|Aw5H|9<?{USpVp>
zA?jjVIx?frJ$y3{SSjb|9#*JA(zq~^swV3_qJ(ln(zYGW60(UN%?Z&!*d|JD8MQ&V
z6*bi>khi9zKPI;Own2k<!KBVl<_!{6Rz%Weo8&6Ova0q|(Ox}ux6_nfuZ*&hL1qk8
z_w0w$Mk3OIV6Q$#Gp@g$grNf!<x$QEu?XyWkoPG5h=h?E7mtR&9++hhUU<a{XRs)y
zyYUQM^a_#ZS6F1;$YGstrBE6`91~cT$hu@Y_9GB-Q_53iHLllz^>^rIeGN~xN6@s5
z%Xdy6K`ly}7p94!3DHjG<wZ!5BL&zvl{~`Nj>43s4LK|4aW$h2qeOkI&9D_nH`2lh
zi1z`RnJowShDkY4$IRMS<Uf{?z|YJi#dl0MxgVHske>HX+*{o{+D0$-V<8S>JI)-u
z&fE6yXFIB}bYtiyen``spfsFc$KNzW!M5W^f2}txCs%oT{|!h=8P6=8CLcelXtAWH
zRxwDW`ij(y?3$0)E;2?)sVhXoaVif60&I%gT=`v8a9nq93?_D3E_|uDVGZ-n<Z!rA
zTm}_UK;a)f;%Mw_Y)z<W<KSp)<VZ*<Vr)++p>JquY)?hVYybDCps9_Gk(Idvy^X!;
zXM)K2sYieT#Gk1l_+Lr{7#s}}7z!E&6df1@=x-?k2CNPSL->dH|2(hnafpDRI=&As
zdm)saAfN?KQg2Dw5Thp^h2)n*@DOLjD6*gP0rZ&d&>a4}QMW`2TIOTe8OOLevMwb?
z4?k7naJ1S|-gIf<E_c-jS6=Mp3?ETQ;PWe!=4Azo4WNyit~SeL@xhXEY8@EUQ_@bV
zSedH5ot`|T6WJBc*iG?c-NX7K6R>c}Lb>~rka_&gHFeB%F}8?;DjSe;GAA&A#i-zj
z@mDwXt)q*)t}-BV-Frw>O)ii!I%Y$yzH093!JVnY3hjM}F4M_4sSl>q1L^hV^*(!A
zWHp&C5(E}lj2M4Agx(f&aB2>C;Q!M3h?>>rnBpjeOPs9TW}u7-2@l_33nojs=*Y0W
zTH7ChEX%4;7XSSGwVDywN#S>JGXoeF$1l1bg53i3i*aCHX&?Q>%T*{yeA4?L{+Mup
zFk+OrJ~+_^0UB)~qVCRYK0E3rhu>VDVE1e;#TD;R_^d8Cca3+vIaADK3UT+31Qk5_
zv;KX|Jq#urNVdBBV)_IL!#$xLuMvyeS1KCm*?YUp39KPh(ZF#Sq9))DHx>JutsX+7
zM2Z(*rqfP`5=>FQy(IS7HC7p{6NfIA{x}6(v2PSzM#d+@te}S3YCH`EMxMEavA`S6
zDFk!kf8Rci@!xEug5-`bMooBVXf#7JACUD|g<(@DnOBrFu0S2vYzBe@m6scU`AiCC
zwa^$KxiSrG0czOQzGG$j#Dnn&?hmUG)BQu`c|7lRdl5hk4l$q#nsdLTZ9H9Z0`4$+
zDNL+7%iUmX>~&UnzzU8SD_o}~Jw;M@%2ow_qRvXE#@xJl_Or@b+|>}Fj4Kn7^~6;m
z9m*_k_PR;)9nvMeP#eCy@)RVCj~|GvOE63cjx}{MMmTCSJM0>MKv1UhAAPG(gViuw
z&{rqh1JcZ;qWe%hYEQ-V)To2xP-nr7zEF&2v`B23#?8*Q56xY$Q`9!JUB&i!x+u7O
z=O6AkHy?hd9=Tpp&11CeDzU?o>Ppjq_IjO5SosE;D>27IEj_9&H$(E#dJy+_H6RQ`
z<TFD81|Wa||5+Ab9AGdgU<7pl5Y@k)n=WlaP^?cM@V|ZjJW~H`bI~=BfRG%`-5891
zC05+1wwcN7CX(;URE(SC?R-a>C($oGLCiSZNTa>1O)AsKTWK!Fx4TxLIy4X9;B4<y
zG?pBRJpC^YVfqR3RniGlM;qADt8_O*--5nN5p#iW&x!)1y|@JMR9bZ+Y@Vt4DDvm?
zQ1lKC$1PQitTQJw0IS8#sg{|73sdi3+a|cT9U@|URX^TS#}%lz!;O@LT!?8`%*$`u
z@JShT{H_qgv{Cu1f*@V!nxCa#euz}>Ul?RicsqO5%v^F3?mlIRrY(wD@?wFmVfIC=
zz4!KuA?xW|uR&1pHefBsnh!sojf8#=L9m8$ANw)6gC(2~CNW#ECd`cSDLjFZV_;(=
zeAu{}z`_f}DD1*?IlFKCsJ8Gyn^^iTMoE8sr+W;hmvET8XTlfH1K}ie+&=sfx-(*{
zP+EW#YX+z%cSP^hU#+Qh_ap2o%*I#z23*sosu~(Uz^oJuk{A}IIL~qB{KI0`Hn1yd
zV%LL@oaiF4U2fgon6m}z@)|v4xz^n=$62%$NP;(4{b*nHCt3o!EsdQ=oz-=ou%~ml
z&V3_@nmC1~TEwozRB23oZP#zw_nZylq~L(ez52d*a_qTTyU_@Z?%oxPCEG1&y>zoO
z!{zaAn=o+-eANIuqC&~!7z)Kq=>?Xz5LMh)TIrk}1FV-gdP~yW;zyHg&(v~MMD^vS
z6v)KvJ>F!I(9D3{=a8IqAy4t=weNKT6>*dJD3BhtYDVw`ZNKUu_$s3%vzY8rG0oDc
zFjFxAlyq=!H3#IC2M~4grPW^t;!_yh{O(Uq(?yqsk8D3u_Y<c*b;E&YT)%O)Ed@Vu
z&7tW)@a0sP+Ih(A<EeF0|F#uQ5UwIZ{c6U9(N%JK6xAwDtd1=(+?zY0!YXE0#I-)^
zTJ)ReOnkoa5U0b{_Iu%`=N9+wV}?_%Dc%=givXa_JPPXavzDrl0BvBSpFinjs0K^f
zXrOC?VxHv|=?6$WDhFzRcI?>*Ar0Nkd@LZf2-muZ6!<M_f2FDXgB3-gqmfUn)cX^~
zO{O-oNLHQ>)oU9Thq(^iC@h&tDM|VN2r$VhpK?Y99~~<3d@5`01zsArR6Wl@xj+hC
zXDXl#26nO2XFEIQ%q^;HVsIVCT`V2<yr2AbGw_(1%R{){PKpJRrXw8(IMIiMFdkWd
z-%wc<;#ozjh&e5-b&dha#Wx2M4SAs%)Sualu&Jm!HO)6G+tkCZ7pr#2w1ijY%mJVy
z)WMq&fa07hTiCD=XqH~kM#(LhCs;rbh>IA^dych`pX5v8Xb%l1U7*?+-3ITl$`7eS
zSbkWt5z%(2s<5NiM|2kVW?bb`wkh0*5OqHRo1TKD9gHosm-5QxihkqU_*;1W3oCz?
z<u9xNy|eoMFIf5G^9L*cWXL>Hkborl^wbwiYF+7jAkcF&cvR!=BH6o{JBet9N{Zw_
zyWIGpt6qdhFN=MRpLf?J@Ti0xT~?Wj?bA~JGdd!_3RD%wQ@Zc<x~(d*4tLGRVCzux
zdXLIjSZ7Pk8L2ZjgB?(rr?kEv8HqHw8mlpRxd(V!ISks@M+Fl-<V^KLEHW~4PP)BZ
zje|{NKfD#&^0;5h*1qgJ+_z&LoMi;{`W>liB19`P@FW@p#SBp!8npSV{Lq-*?aAg3
zp~VZR?!~DhcTaH!&UKwE01A&GFme7CB*U-3p<O8QY{cOPJ0LTg^*g4<@~7&f)SQdr
z6%KRVL`mF$U<m)%QUM~u6pLh(HzJ^?g;a5QaY2{wv8buCt4NdLcoP4Gn!02!BG6Hw
z-THD7S=kN?495}tOHjKoIO|t4KReJm0no!2bFZI2FVuc+$|a_Pv}s69F!L*aeM;73
z#y@^M-f)wVy>i|TFovH)f?Fx8S&GQ<gB60wzq~cw8qM;>A#6fJU<Y)AYuO0MF?hT$
zX7NI06~M`W=$!=QA$oHm_*2Q64V@liipJ^sv6Z_lJ8>sqqIjv!ZfOa6=^310dJJR_
zj+0Ykf82{t-nM4Kv8cwlg=9=5xER%Npv)1V>@@g{u5)4pJHq?J+t<yDnuikvm<2xz
zzcoflf22rd`Z%!*kC+V0sv~vnaz=eWambHE18$FM3bdke%;!%p%%4zk^Q<w*u3wPx
zi(#FPaazL^$Dy=qw3d^GFji9sC^40_Nw$oB1+aZMKdbeMRaSf1ekf7sFAT(Hpezio
zOVEMgAQK{P1yPoJjFWMEbrhvk78Q0jEhclZIuKU%0Wa{K^OojbD%n}e(btR=f^p?_
z>It3^e?Ib~ux=6Z()w<EEz!S2B&Q9Zs9sH)u0Fnl60z{|tfFebg{sY(5^&}l+KdoH
zmHwq?w5c}ld0x2XVL)O62DY~^7Hh2T&1%!JTn}fz#7!T>{WY3cNNVH;8ZRuOIs74#
zXh1WeF*alhY~b#|mO#7iuX@(sT4~Vt5TJDKmu{2z1#a|k&wQL5E2qhVxvo>7$DB=a
zX}7veeJL~oVj#{5<Z0?_Bom_>r_yK`ChQEP`%rw%yG6Y22i3ke1cqt8-4~;?dPzca
z=`#EEgLW|~wv865@po<KYIys$>TC<(6dx~TpCjGlh8}{@!N-m6I6Z-(P3#=##JWlp
z>;rHke*3N`U{o-X=#xhA&FRIhmqBTbI)cg{)JG#72KABwQhIE0fu5}kYOYT$22xk!
z6J=Ya)rW58qlADc;(@{SwC}he<f-66YYV*n7rKmY##1<@5O}zv`>+cGm-59K{%uma
zuMv0ZQf;@8aG=87v{|8$Wn5)kV>BU|c3{9Jp~Rcer!=)>c^LRJVeEca{V@E61;0>7
zeBS&GLEpa+Yv9LIF4Nb;vljKAxVf9#rU%oMJ=N!5vFSv)eRcV+1qGw6J^NHXiEo5I
zO&8G_2PDz?h#aT7sX35jR*W|3+f6gsCMPj!gy;CZl-R>#I@kpPp&eAEJ*`#FoOboQ
zv621tt*3ikX^GYrvsO|H!WHLocAld{3f@I+0$0+G8`pj*z0rX;Jh<w&t6bBajbilc
zfZ7{n-F+nJl$`x-R0-^FTbS(#M=~xBT#KD2T7^y$+hi2kT>I0i*xe8UH>L+|-Lo7t
zH|&i>J|nfaC=RacYOtpNR?h<dtDf~47XMw(`bXcqr6GKH8yxkoYLw1wwtZ*MV;qS3
zc8#q%h?XwhpgbWa-16qn`kE|BCEGDwmY~9M+=9<OOy?CF#^en|$644%^IqTN(JUy*
z45mrk!&tLJkGa!RewC_eCA?03%ZYL1zy+;-FU^L)RFZ!H`x0#+bq}?Wz(A;1YC)hH
z>Jfde3fbg{J&}99B<m?~NW4~8z1(2tS72>_z$S*zQ)3wX%Z7*Hy`*aiXeI8T#Vs=i
zn7kzsr%#aZS!Frj{uzEBkyX$&Vx7PoiCRjRF7aIeF$?2W8}6=7-O%9)Vp*_g<%ih~
z#nrG6lh$c30wS2ucEO~8YNhffE|>C?-?t?riaKi{WbK%2@G!wA#d2;B)+*}AbOe>1
z8m+HFm#JRsBa<^xYh92N#Fq*E5|agM*2v?s9LfRK_J>T<?(>qCU%s-4zjIVp&3m2x
z$Ud{Sc4VL2DE*Qy@9^_t=$1eia-0(xxVU?Rjl1y2OKrorp*Bo(HuP2va<wpo7U*sZ
z8H?ZUm)Qi#aJ1hELl-<t7CAf{&--!9-CsLQ2W+juW<ktYY!#2OTCD;jjS8ATDV+D5
zvgrKNM&QsXfAf>ta+tZZsPE?%VR!d5fv9j}KosP-Ws<UbYHRG<RSEnE0wr?9*QMoK
zNr)X&{|J&D*{iNWWiTC&6=IRWgx&cqq70T*yz&<@!e-<?t1H{Cv%?*lpnJjFGuZ2^
zCf*{lN$PE>WG)0268I|Sg!%Sv)NCNtk*x;^dFZ{_<ll0~^QvhNN#e}Fn)V>;k``pM
zcL<B9MSRRuR9R^??z)JoJSiuw&?DH{><hZK7vTxY^3rRU<vC1C3PnV1G)ecT^x0RG
zF(a=h#MRGcm92kgmAZ{r6h84syjzHA8)#0QVY|9COzN6d+(Ao+3$w^p5lJYY5;GGH
zcldJjg6?J1%F7#?aG<iVsb#n<M#cS(e#!6uHGMZ5q8Wc?okGVabBY7K4TF-ZRW%@}
z%e|5XHJyhzJ*f@d!mSe3B5LQKUfDGM{UbFgoiU+MMO!9&EOv1uY?DpJXrRypd*^aA
zxgHY9cMBYYwLbGDtxxWD)M{EEv@_#;Dr1sst&*!C*^<=j;1wtzyl&p;2bTr4ge2n0
zeZ^BV?qHx2A()%w0ugVsuZLOcM$OX0>EX?@63@zUPW7~f)s8Zxku!v%$s3}!3rBbs
zo&|t;^9v~2?ls4nj0;NFuTfW6c;p8i#GwyG|62Vw-y%V!!CVWnqO30C*^dG9;ZEY|
z6d#F>$S#7Pc5Kx0Q<ya}2eA8eTMTKTzX1qc1`O`Aw5KAOq{yv<IAP2kcXJ!VQ%6cS
zItqKHMAi2JCIy2by4O%yPA9xx+_7r#vx}@yKl4!jn;2yO=sVfZu=pef7!=SJ%U=hz
z|8PSn7U2ba85Ucid|p2anbYJ2I@b3$>Q2y?p;-p;lca60c_T3==cgxLSKaVy0a=yZ
z)*0)S1l$Cc;joP@ZRnZZr78YE?5~<8MP&NmQz&Yee)$%%roEQ*<JUZcZgVQaAM$i~
z;w_fe3OF{iD!_hbJ(aU-(0VI#6BUk|&GJ9Tmtin0MNujaLA5+g2*?e%BAGUfa0Q*O
z`i?5cuMn9=QxT|Z?yKMVsQLY}(HG=Lq?$7$5#H=nIgcjR(SJ!KThhXzk?2mEZgHhu
z6?iubL-Y%r{T`lLC)CY9<PCVTon2)MrjeQrQ|?m)tw;|Gr2IIIb;NoC4GHACJd_X$
zyVUH??{M29w#t8)&MExm^Ew-fJ2_wuwGaXwhW|QUKsMuY51TMCtt0{K+&X{Qpnn8P
zL3xq{EyHK45#qKLDy~W1u;X5tg9;@(nv5SoxlazH=8|pwL;Q*A?F${~>|tqm>rR90
zz4C|61IRB0A|fg0XAvm|Ve-UrMv=jgQX@*2v1Cz^6(+dDWd@_BysH!#ILEx?`;gKr
zvN2y2RsD}23u5((1_87&8@=14ZA7T0h3t>6Se$Xj@^9PTh=d@&#=ag~=$Z=&aiuqI
zs=p$`C$}9lSUgBUv&A(Rtud0Rj@5-#9`>5X=!m;Zrf*PXr|Bj`xVESU;6e2mb5#C<
z_-}5^eRAVG%Q8lJh(GnZmw!QEXKm1Vji&}v{VQJCT{Uk*QbLLPXY7XXs9w5*9aGS`
zr0wUbEK7#m>W3`c7cXix(ks`6eVy&syZVudA|N$BPZFK;<w+9S^4bf=HN<Nj6`xNv
z1S%c!wpsO+K|QwL^L@SpMAhV`cAvDKRHMF=9OmBE4UwQS<h%RHGs-E{W_p;Y`XE5)
zjyr?#(&E*$=PghQ<u|1Qg##|=<`}>tP|#BuiG0LmpQsJ#iGll-3CgBxes!vpPZg%m
zL>K9*&zl28w^uoj1~5O}3%G023#&`6TKpDKpSc<IqwvwN#vsb3?E_)QQcydi4gIqI
zoOA_{re~>VLU8Vd>QcyuMh4|GYt{p|N;eRSAwt}XcpgP6Vb8&WIUk9$yhqRcTi+_e
z;Dkh`#>Z57a2WytG&VmIii9MG+s6eha+V$W(sbmQXYe5?3a`JvB)Y3bk-t0fQn`rk
zL%bQ<NnDBNVxy4k=c}#KcpRqNYYkYI*1dO{id8E&ko$dNV0xzRZxy_wJ9lf%YljYX
zkHMcBZo~cSP}9oz@FMTooF&!}Tug=WvnFURo_1_eitZSsjk*iV1!WCE)o$=77U=k*
zZwOi9hSH@Bqo^&HFA<$(kmySVgDJ9oH2fmgkcz*$pYiGm$!1*z0*AQy40OR<6xl`p
z<_75h)P+8|G55EC`{V}jztx4h|5X?I<MT(r{c{|FAcF9QA>CqzXX2$du&ISLz316-
zQrJ0?J8;sC*~5I>{UY8yv$CKwQN*phcbu()m8enAyU_XNUBrP}xmdRsc0)!J(KzqW
zm8^ANr7_Y>NHb~218*&*u5i#zj3)+I0$}$(DGUE~Gj^NGw+@<@cHVubHwn!|DV)hA
z)oNq;c|hODjl-E?YLs%!(6j7G`kP(V)U5xh&$%^H%jA{Id=5ZD$11uFqtUQyItoZo
zBMN@(3uZe?vLqwa_Vqra=3!KRKcN<8`x_&oy<>#^bfAk@<SWR`#QhY9FqNeH9*3$<
zO()bxz5lNSRsD6*@NZ^xMxB-p%I=4W8K`;gz1sz~QV%q3gfO_h0aRAAl+CNmWEzRu
zH#(kxbtG$3xrbTm0iU<R+i-HO#goYWM?Q5it!j?}8`LRbxr(hg1=$maMtfO?o2H(6
zd}ul35KQhFM6;qxb8aU7@3tX14Kw)Pu7-OoZ!hml;4a5C)-m8Kfb7DS<++QS;g;O6
zk@c2Ko8Km+SQn&A<wRA4`<!#q<KnY{k<WC?)fE?j&QBp3Z3noq%Z_t-C2R>^)n|sW
z(|+1P9M+4C@`biQm-ODUV|A|<KVf+kEuW)B>v>9IylF$4<J!_!))6iZQ*2c)jeCzc
z#ooa3Ry|~XlWM@$%9lLI_&rGpV@119$C|sUHAsT+h8_=GjzmyeGWondT32#Gr}-95
z^fj>{Z&pVg{y|5s!p8nBuOaipZ&GGQbft!)kZ5p~1<ECcBhgx7l;fJQ@`dhzzbxEu
zdsjwWQM3Mt0Y;vPhlI5;X2qeUWe!8Mr>o;E@N6@2z_sO9l830-&m>DJ*;RuxO!LdQ
z>30(g7kIm)IGr1gvT=)R*HZ*K14g1)_?ct8*Y^0G$AB{7Yt74i*laCGsLKeBPS`E;
znN#}ZZ8~+}p`HNZ0-Nb#Yh#SiW9|xbV>f>}-tovJH^a<y{Rc@xHL=yn_Hdy`;2t{8
z6r1s@0iPqq9KL@3?UV(h-HtF81u6@|N-eX%g7dwfvkeQqtB-ak6b_LsTH57(t9Nl@
z3xgH<5b&fp2;<4r+Rn;ssE#{=KyeQ?27$6fS#;;x2NW46!VO#JuovU<ThAmfIH#QC
z`|M3IrJz|m;}AcZ&2JTHhC-Bzg<FUr;A&m;Y7Ix@r9$#O73Lh7>~{q<FLWB1@HNda
zN8)~_cjsadBD^>X3$*A(uBz;pFrA+jZ^W+T=mflOizN)@w(@Xi^c-TPHsb~14=9lu
zh<4MrMuPe=X(g)Q<$@PQvsI3N_ypLOYOyMaaN#GMBxDdLIpQo5;Kd*4vsnJBEwp5b
z_n(3RJv)c>jU*DgH?!AefY;Eja$0OSB>7VpQ<inX`BQFJK)xVh?P%bMwVSju6QoB!
zbKX-(oaz|`+hNX~a5z%XKkuU=+YZqdPZtL@7N|CWxJGyAuvU`(BAB2Jom9>p$vEq7
zsIUNqEfOZM8zH*LQ(zfv;jeQ@JSV4<>p1Hi(y5akWRlc@g`KTRUrjZoEllJ*Jgoc@
z!8_GO96c$RW((zky5$7o00V-v-o50LTj3u{f<tav+6P`qPV_M~-g^|Wr$=NvcIQTH
zl^C(|rQVPyrr;tWCNX?#U>94LY>JiVz4VIEv6Pkuc#!$m;!{Y{dyxp@%u&I^B-Y6)
zw;!atuL-V%o47V~Y@k2><EphX`J)NYgR3#i0^QmFSr_}WEdPVm|D`VW$L9}L|2fIk
zF@*#qd{Ko~n1i#>I#<+GOu1}P^5gBsoNU^sj7tsYe=cT<y%$_Wzv5p=<4#f=GGdoj
zFfvj?XYx2nI+ffl8)=Uxs5nOHILWOEp7)}0M%tVJ1#8Gt#BTbiedY(1`BtKOr?^^p
zmpuC$V5=T~QWMfC8#jjNB)HQh01;?F|60=>75YwXxFiLR{W#|;?XCSqgeodTP#eBI
z%tuElS&n3Y60BvpxT3BvOQS7VYM{|YxZj*UMhLyu)weN*v;sJG1|NE}b?d93y}MyM
z2#tI*h}e(HS<YCmUwh9AMOi;x!0OWr3}z(vb;1f%>=0|xe&)DkdGGXa@=m&k^fO<o
zu{k4rxS%-K<A93uhz{B%+}~Ze4T9-)Do2=|L%GZ=er-E!DxUDAh^Xvb@2k3>6-^;U
zewf0OS!&HjNp*rZZ3-{l#1(qq>c&Uv>i;IkNbVm3rA>$l&WpXNR!$h>l7xJ-8mve~
z-A5=&+;ILuX!~keEt<4XD}5D0VK=OYZ|`xZX}qXBdY|XToI{G}nov5rij)HpL7oeH
zGTRyVQGB<-`{uotXr6P#ni>pDn!jNy_dCt;k~m^viY;bTU~y}I<419!ZgPl{>F;p8
z<Q{qF+fXtoV;^E9j%dUpbXZQ={u%Kq+UdE|GyTo+KJeVSl_;h~F~t#H>JyINwn=)x
zjvu6|JubOR;So(-cF<G~G!JgvhmGsM>U8Opk2uM`NkTZ5a?Tz{s>tKq4OW)py;O!h
zPCh*q%E-o`K*(h@gdF?!Dl*`zW*@28b<Bveg2#|4(XSnGXxK{21tFC5#-N!MT&byq
zTe4p@_`1bqmt@kc+C;`v^cz|e!-`70nAF~XxWE@7tgI^{-mkG_e#A;*G3c0hC}$Om
zp-(}DOi&GsDeeqVCK~G;^2|hLh;!D|PHNBFRubqTwmr&;=2&5*4YB?}%e1BNIWgaZ
ze7S3H4w_zkQx?{`CVxElAP^=Y>#g@rvR@hoRTq!OiL#<V4gP^wO*9Gy5^1Ev2mJ>t
zs(4QIpIAvh#(be^Kg4pf*V{&(V7Mf5ccyFOv}m0aTeo>@vw7GBk|s6MYS_ju=(M=-
zR=?n=?UbYxe#j)69surI>oHT!x|ygv5v*VM?WfABcS~uac>WE1sU_XqvBN{uknU0g
zhB8HByd0s0=!Z{IZjQNW$2Z~f@uKupCCYO>ElqgG-FAg+|6-Y7)<`ZA<F89CiysBx
z^Qz6LABN@V&g;FS?8Yd1RtWI<fpnK0mJwYr%6d>Hl?F<BEkw}~P={#Yl!RzJF_b7q
zzo%ge*HK)TmAcw)vF55*MaG;NA<a&ck{}`axzEgFLkvS?AuF+n-i`d>n}?PnXEtOX
z#Ob5{6Dxm!@_FtJ!TPE4P8VH)sQ&Hj?$3h#fyqCweqi)Kynt$=j_i$4hia6-6nWG9
z$~?pAAvj{{#+a(q1Jf8I-m}%|G^@m#(%RqhsH-1ahsO!_o4sUXk~x#V+lB_BekTTD
zVSS=KBJq}toP&rG97>Y$lAmZMRz-EXR*eeH0v^Z8QQs+zn7mQb^lu@dyNr^Gd{9eq
zq9u+Vhn)|nzk_zt19`$lSvu@#P$iO2ApXtN7n6KUgl#GQpvQA;e2|*)F)XC&cdL|u
zo#^z7JcJ6VD$&#;-FNnJtw&Kh8-{|`N6{`7s^_;vvG?J+%3aOTl)rteXa%GS+p?{w
zVdjuA#eRJ!mR4zrU)i!a0qP9oiC}6QU=*7AH?-1oh5Nq_Id4%B-mr`<A@l@^sy(R^
z?`02|tRKHeS%fdej8UTOpBPYOt5P7>v~G=ndw*2WDSg*D=k{)u17w0G|C~$9`Gw$N
zj%)o~&Ue5mjC3%s+Mj^4n5{K87G1E^)a#HrT+{f<TMzV>&*!kEznYF@mVa>JZ_8hm
zbW&W#qaC**I%p7v@oY|DL&mcKnmOS9JXKIFCC@(zl!7qkO{~MaO|mKC{_Cdq%NbJ@
znovDNX4!@*wLYWUMWsG)J#Ioc$_t5+|6X$RiWf_pXPAj1C^c2wTAOJkT^+$uafkuk
z$7Jb;kMOS!PRLZrP@(iketby8M%iG$<+5?+0`ff3{DGnnN=B~OiyI_mYWFonu(z=G
z<$AUCKy~Jl<($yvHKr@&YQzDnjMhVH^}X@0*FC-Wje`e=qxD=RqcE-Oh`^C)tp{Tj
zPIF}7>BS(cnFGmR^5$z?;4(+o$m`f474<b!$SgpCpRXl}gn9j=Stqk#eXcF$T!`oZ
zi2L0-WG)wll!QBUVsG>KRZNvhCOmNTEek=pozTgPrN~SAKU3uE50?iX+ttO+J%obt
zW~t#7bA6RSi6PiLhAr<EPG>UtS7)K0*IE?W&ye7&Bt`nV(U!2KjDeBP84C|9=Nann
zvEfclOWF`F>&=>f$$n3-Hzpt5p|w)0PyOjBua;YUUrPQ5E9#(c&YxJBLgw?K>mtUk
zik~mr7I3whuoSV)#{YQ{PSc^#Ty9&#qC~TEGg4%Ikc2>xF$xvez?QUAU~qZl%ZRb$
zd0be#9F2&x;wjMXB9Br>H9~il3`8dfp=LQ#AL>ftBq$soLse`k(BIcOd(rcoxmDzr
z4R+CRREBoQ+9xrNZbeE**C}T(gEznrFTCvdn1zHK^4k+fktRmJ2FjEXh!S69lXmos
z9e9_E+GC9njvJ;O(5~CO>~phCvnUcks^1~Xh}4-M=`F)IT?~3sYTpr!ANM-X>5-n@
zh<wE&bNmo@kOb0~H&0D~Igqr#MZ2MCL_;QwDwHog*ewGuGG({yKe6)3l+R`Pe`PCw
zeEtCDpZCXdZ6MxRr!SF1u*9;jGTqRszY{k?&g&X}cs)P_leMrH2CwiOPT--_^QFS|
zq->{&5ryj)g+0k61zL5W05ko5&7|MKR42i3eCXE~OWutJa4nmWunH6aNOh_a4g<iD
zAp5xWK~UIC;t<SpPJFgPIt0+D^I7CCOH&vVn4$aHU68d{5Pdy_y8Tuoa3Avqg7&1x
zh&$@`(Fot526pW|f$gV(KP1c4r>ThE9I3FQqc<$PaD&}IF>Lpth0c$!?l_jusg30l
zT^i>4cV|MpyaS;=4&u03I3EdCew2+1NkEY$gFlNEg&7BE+|oOX8O^ij?t;Y?xR*h*
zCgf={-=daXlp}noEFh$Y>(E<i={!2l^;B^q<TN7F2((l!l3kf7)H5*nzsXWM%pN!|
z=t(ME5ny5;fs%`p#Ln}YeCHBpG8S(EO4);iysNCbP!T+D)&+-`*53&xlBT4_E@Y=y
zsx)xZ(p_7Cf@UpA%?k|aPN~ESs_{thBD!#B!#m^7IRhb}7J<vjIf4~$uxqGm5_&YF
z<%w_-`1aeuxz<x^oaMghYTln3VuX*#O?ONyx<u`k6z`Rn#o&+(R*$il+B&h+Z^)j`
zE7xri(M(!kW2|x4HS@*%#^2DQIr?xAG-9^Wz8kt$w=0luwAYD+h^9cMJ~$mu_*heu
z4{>-cMST8FTzJ8OhVC2JK!Ztd2wph>sSkuBLU7aE4lar{awd|H&x|Fn$1lh8@z5mv
z`{Juhx2?-|4ao0;kfK*X@s1wPwnISxJ~Q1GdBNINFv}0ujw(Dp9?fLyh!kbZ$*X(5
z-AC5DQ}uX=ARWuJGHzG-crGw2kH{(i6<=Uh&DLbEOL-81`YlNZ8&U5d;tE@)1Gh=X
z<6oKBc)!E5Bkii<hj_O6@Xl*z6R5C$9N`DmIawlzYa!KxH(Ea4+8XqL<tOUUJx!ZO
zqObOWs7XqjMH3Ha5hg!C>DmtY34j=0vtSq%&8+;eHjKh@I*Fj4v_ZTw+IG=)s4kF8
d>44lK5W6xNBeH_AVFOhA^D-^Ekb@?V{1;EH$2<T4

literal 0
HcmV?d00001