From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 30201139694 for ; Mon, 8 May 2017 23:32:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C9C1D21C07B; Mon, 8 May 2017 23:32:05 +0000 (UTC) Received: from alt1.smtp6.plusvps.com (alt1.smtp6.plusvps.com [89.201.164.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4DE6B21C03E for ; Mon, 8 May 2017 23:32:04 +0000 (UTC) Received: from lin22.mojsite.com ([178.218.165.68]) by smtp6.plusvps.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1d7s8H-00071t-Q0 for gentoo-hardened@lists.gentoo.org; Tue, 09 May 2017 01:32:01 +0200 Received: from 93-138-17-117.adsl.net.t-com.hr ([93.138.17.117]:45876 helo=g0n.localdomain) by lin22.mojsite.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.88) (envelope-from ) id 1d7s8F-000GXa-Lw for gentoo-hardened@lists.gentoo.org; Tue, 09 May 2017 01:31:59 +0200 Received: by g0n.localdomain (Postfix, from userid 1000) id D30827C2; Tue, 9 May 2017 01:31:03 +0200 (CEST) Date: Tue, 9 May 2017 01:31:03 +0200 From: Miroslav Rovis To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Technical repercussions of grsecurity removal Message-ID: <20170508233103.GA27111@g0n.xdwgrp> References: <20170501093843.GA927@gentoo.org> <20170501132854.98400aa781d29f13457dacd1@gentoo.org> <20170501135808.GA644@gentoo.org> <29deca69-e059-feaf-a312-b0ae53e9610a@riseup.net> <20170508180807.GA18570@g0n.xdwgrp> <20170508204912.GA15294@g0n.xdwgrp> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="zx4FCpZtqtKETZ7O" Content-Disposition: inline In-Reply-To: <20170508204912.GA15294@g0n.xdwgrp> User-Agent: Mutt/1.8.2 (2017-04-18) X-PlusHosting-MailScanner: Found to be clean, Found to be clean X-PlusHosting-MailScanner-SpamCheck: X-Spam-Status: No, No X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - lin22.mojsite.com X-AntiAbuse: Original Domain - lists.gentoo.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - croatiafidelis.hr X-Get-Message-Sender-Via: lin22.mojsite.com: authenticated_id: miro.rovis@croatiafidelis.hr X-Authenticated-Sender: lin22.mojsite.com: miro.rovis@croatiafidelis.hr X-Source: X-Source-Args: X-Source-Dir: X-PlusHosting-MailScanner-Information: Please contact the ISP for more information X-PlusHosting-MailScanner-ID: 1d7s8H-00071t-Q0 X-PlusHosting-MailScanner-From: miro.rovis@croatiafidelis.hr X-Archives-Salt: a4a17270-d535-4ae8-a093-44b1c6d4a0b4 X-Archives-Hash: f6d031f64a51f59d010e0dd3b5c940e3 --zx4FCpZtqtKETZ7O Content-Type: multipart/mixed; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 170508-22:49+0200, Miroslav Rovis wrote: > ... > I'll be back with an ebuild to discuss. > ... > On 170508-22:07+0200, Mathias Krause wrote: > > On 8 May 2017 at 20:08, Miroslav Rovis w= rote: =2E.. > > > Unofficial forward ports of the last publicly available grsecurity pa= tch > > > https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-un= official_grsec > > > > > > which I cloned into my machine. =2E.. > > ...as it used to be the case for the official grsec patch. So nothing > > has changed here. ;) But I can understand your concerns. If you're > > used to getting a patch and have to use a git repo now, it's not > > intuitive on *how* to make use of it. But, again, see below... =2E.. > > I'm not familiar with the gentoo ebuild based package system but I > > guess patches integrate more smoothly than git repositories do. So > > here's how you generate a patch for the unofficial port for v4.9.27 > > (just pushed ;): > >=20 > > $ git remote update I'm used to doing: $ git pull (and I think it did the same, but I need to do it all over, more below, and in my next try I'll to 'git remote update') > > [update log foo] > > $ git diff v4.9.27..v4.9.27-unofficial_grsec > ~/unofficial_grsec-v4.= 9.27.diff Yes, that is how I got the grsec patch. I named it: 4420_grsecurity-3.1-4.9.27-201705082100.patch This is what I did by comparison. The 4.9.24/ is gotten by: tar xf /usr/portage/distfiles/hardened-patches-4.9.24-1.extras.tar.bz2 and so I created: mkdir 4.9.27/, placed the content of the old 4.9.24/, except not the old patch, but the new I placed in it. See: # ls -ABRgo 4.9.24/ 4.9.24/: total 9380 -rw-r--r-- 1 2003 2017-04-22 17:58 0000_README -rw-r--r-- 1 101631 2017-04-22 17:58 1023_linux-4.9.24.patch -rw-r--r-- 1 9451813 2017-04-22 17:38 4420_grsecurity-3.1-4.9.24-2017042207= 32.patch -rw-r--r-- 1 665 2016-11-10 01:55 4425_grsec_remove_EI_PAX.patch -rw-r--r-- 1 1359 2017-01-01 18:15 4426_default_XATTR_PAX_FLAGS.patch -rw-r--r-- 1 1444 2017-02-15 14:14 4427_force_XATTR_PAX_tmpfs.patch -rw-r--r-- 1 303 2015-08-14 08:04 4430_grsec-remove-localversion-grsec.= patch -rw-r--r-- 1 1528 2016-08-14 12:16 4435_grsec-mute-warnings.patch -rw-r--r-- 1 641 2015-08-14 08:04 4440_grsec-remove-protected-paths.pat= ch -rw-r--r-- 1 4184 2016-12-14 13:33 4450_grsec-kconfig-default-gids.patch -rw-r--r-- 1 2616 2016-12-14 13:32 4465_selinux-avc_audit-log-curr_ip.pa= tch -rw-r--r-- 1 2553 2017-02-15 14:14 4470_disable-compat_vdso.patch -rw-r--r-- 1 1467 2017-01-16 22:22 4475_emutramp_default_on.patch # # ls -ABRgo 4.9.27/ 4.9.27/: total 9184 -rw-r--r-- 1 2003 2017-04-22 17:58 0000_README -rw-r--r-- 1 9352316 2017-05-08 23:47 4420_grsecurity-3.1-4.9.27-2017050821= 00.patch -rw-r--r-- 1 665 2016-11-10 01:55 4425_grsec_remove_EI_PAX.patch -rw-r--r-- 1 1359 2017-01-01 18:15 4426_default_XATTR_PAX_FLAGS.patch -rw-r--r-- 1 1444 2017-02-15 14:14 4427_force_XATTR_PAX_tmpfs.patch -rw-r--r-- 1 303 2015-08-14 08:04 4430_grsec-remove-localversion-grsec.= patch -rw-r--r-- 1 1528 2016-08-14 12:16 4435_grsec-mute-warnings.patch -rw-r--r-- 1 641 2015-08-14 08:04 4440_grsec-remove-protected-paths.pat= ch -rw-r--r-- 1 4184 2016-12-14 13:33 4450_grsec-kconfig-default-gids.patch -rw-r--r-- 1 2616 2016-12-14 13:32 4465_selinux-avc_audit-log-curr_ip.pa= tch -rw-r--r-- 1 2553 2017-02-15 14:14 4470_disable-compat_vdso.patch -rw-r--r-- 1 1467 2017-01-16 22:22 4475_emutramp_default_on.patch # And then I issued: tar cjf /usr/portage/distfiles/hardened-patches-4.9.27-1.extras.tar.bz2 4.9= =2E27/ Similarly, looking up what=20 tar xf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz decompresses into, actually it needs a folder created before it does so: tar xf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz -C linux , I copied it to [[ STOP, I found why the below, exactly because I didn't descend in that directory when I created, be see further below ]] However (and also logs are to follow), the patching didn't go right: # find /usr/src/linux/ -name '*.rej' /usr/src/linux/arch/x86/mm/init.c.rej /usr/src/linux/arch/x86/entry/entry_32.S.rej /usr/src/linux/mm/nommu.c.rej /usr/src/linux/mm/memory.c.rej /usr/src/linux/net/core/neighbour.c.rej /usr/src/linux/net/packet/af_packet.c.rej /usr/src/linux/net/unix/af_unix.c.rej /usr/src/linux/net/mpls/af_mpls.c.rej /usr/src/linux/include/linux/sched.h.rej /usr/src/linux/include/linux/capability.h.rej /usr/src/linux/include/linux/mm.h.rej /usr/src/linux/fs/namespace.c.rej /usr/src/linux/fs/exec.c.rej /usr/src/linux/fs/splice.c.rej /usr/src/linux/drivers/char/mem.c.rej /usr/src/linux/drivers/hv/hv.c.rej /usr/src/linux/kernel/ptrace.c.rej /usr/src/linux/kernel/cpu.c.rej # So the above happened, but (and this is the "further belows") it happened because, here's the paste: # tar tf /usr/portage/distfiles/genpatches-4.9-27.base.tar.xz | head linux/ linux/1012_linux-4.9.13.patch linux/1022_linux-4.9.23.patch linux/1008_linux-4.9.9.patch linux/1005_linux-4.9.6.patch linux/1011_linux-4.9.12.patch linux/2900_dev-root-proc-mount-fix.patch linux/1009_linux-4.9.10.patch linux/1024_linux-4.9.25.patch linux/1016_linux-4.9.17.patch # tar tf /usr/portage/distfiles/genpatches-4.9-24.base.tar.xz | head =2E/0000_README =2E/1000_linux-4.9.1.patch =2E/1001_linux-4.9.2.patch =2E/1002_linux-4.9.3.patch =2E/1003_linux-4.9.4.patch =2E/1004_linux-4.9.5.patch =2E/1005_linux-4.9.6.patch =2E/1006_linux-4.9.7.patch =2E/1007_linux-4.9.8.patch =2E/1008_linux-4.9.9.patch #=20 # diff linux linux-4.9-24/ Only in linux: 1023_linux-4.9.24.patch Only in linux: 1024_linux-4.9.25.patch Only in linux: 1025_linux-4.9.26.patch Only in linux: 1026_linux-4.9.27.patch #=20 And I'm sorry for mixed-up reporting, but I will leave it like this, because I need to go to sleep, can't improve it... And there are still issues.=20 With the ebuild attached: hardened-sources-4.9.27.ebuild the kernel installs, but upon "make menuconfig" it looks like this: .config - Linux/x86 4.9.1-hardened Kernel Configuration =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80 =E2=94=8C=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80 Linux/x86 4.9.1-hardened Kernel = Configuration =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=90 =E2=94=82 Arrow keys navigate the menu. selects submenus ---> (= or empty subme =2E.. And also the compiling fails. But first the *.rej. Less than the previous time! See: # find /usr/src/linux/ -name '*.rej' /usr/src/linux/arch/x86/mm/init.c.rej /usr/src/linux/arch/x86/entry/entry_32.S.rej /usr/src/linux/net/core/neighbour.c.rej /usr/src/linux/net/packet/af_packet.c.rej /usr/src/linux/net/unix/af_unix.c.rej /usr/src/linux/net/mpls/af_mpls.c.rej /usr/src/linux/fs/namespace.c.rej /usr/src/linux/drivers/char/mem.c.rej /usr/src/linux/drivers/hv/hv.c.rej /usr/src/linux/kernel/cpu.c.rej # And here's how it failed: # make && make install & HOSTCC scripts/kconfig/conf.o HOSTLD scripts/kconfig/conf scripts/kconfig/conf --silentoldconfig Kconfig HOSTCC arch/x86/tools/relocs_32.o HOSTCC arch/x86/tools/relocs_64.o HOSTLD arch/x86/tools/relocs CHK include/config/kernel.release UPD include/config/kernel.release CHK include/generated/uapi/linux/version.h CHK include/generated/utsrelease.h UPD include/generated/utsrelease.h HOSTCXX -fPIC scripts/gcc-plugins/rap_plugin/rap_plugin.o scripts/gcc-plugins/rap_plugin/rap_plugin.c: In function =E2=80=98bool rap_= cgraph_indirectly_callable(cgraph_node_ptr)=E2=80=99: scripts/gcc-plugins/rap_plugin/rap_plugin.c:132:87: error: =E2=80=98cgraph_= for_node_and_aliases=E2=80=99 was not declared in this scope return cgraph_for_node_and_aliases(node, __rap_cgraph_indirectly_callable= , NULL, true); = ^ make[2]: *** [scripts/Makefile.host:158: scripts/gcc-plugins/rap_plugin/rap= _plugin.o] Error 1 make[1]: *** [scripts/Makefile.build:544: scripts/gcc-plugins/rap_plugin] E= rror 2 make: *** [scripts/Makefile.gcc-plugins:129: gcc-plugins] Error 2 # Good night. In case somebody wants to look up why it failed, and should I ask Mathias or file a bug, or something else, here is also my emerge --info, gzip'd: Good night! --=20 Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="hardened-sources-4.9.27.ebuild" # Copyright 1999-2017 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 EAPI="5" ETYPE="sources" K_WANT_GENPATCHES="base" K_GENPATCHES_VER="27" K_DEBLOB_AVAILABLE="0" K_FROM_GIT="27" inherit kernel-2 detect_version HGPV="${KV_MAJOR}.${KV_MINOR}.${KV_PATCH}-1" HGPV_URI="http://dev.gentoo.org/~blueness/hardened-sources/hardened-patches/hardened-patches-${HGPV}.extras.tar.bz2" SRC_URI="${KERNEL_URI} ${HGPV_URI} ${GENPATCHES_URI} ${ARCH_URI}" UNIPATCH_LIST="${DISTDIR}/hardened-patches-${HGPV}.extras.tar.bz2" UNIPATCH_EXCLUDE=" 1500_XATTR_USER_PREFIX.patch 1520_CVE-2017-6074-dccp-skb-freeing-fix.patch 2900_dev-root-proc-mount-fix.patch" DESCRIPTION="Hardened kernel sources (kernel series ${KV_MAJOR}.${KV_MINOR})" HOMEPAGE="http://www.gentoo.org/proj/en/hardened/" IUSE="deblob" KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86" RDEPEND=">=sys-devel/gcc-4.5" pkg_postinst() { kernel-2_pkg_postinst local GRADM_COMPAT="sys-apps/gradm-3.1*" ewarn ewarn "Users of grsecurity's RBAC system must ensure they are using" ewarn "${GRADM_COMPAT}, which is compatible with ${PF}." ewarn "It is strongly recommended that the following command is issued" ewarn "prior to booting a ${PF} kernel for the first time:" ewarn ewarn "emerge -na =${GRADM_COMPAT}" ewarn } --ew6BAiZeqk4r7MaW Content-Type: application/octet-stream Content-Disposition: attachment; filename="emerge--info.gz" Content-Transfer-Encoding: base64 H4sICL3+EFkAA2VtZXJnZS0taW5mbwDtXHlz2ziW/3v9KbDq7qnuTKjbR5RS7cgSbWusa3Uk znR3sSASohjxCknJkjvZz76/B56ynaPnqt2pSUXEw8MD8HC8C0Ay8YKIm4LVy43yKfvRP0Rr z2WNcrN8pqwsl9tK9SVb88AQrjAqtuVu9xXuGGfNl8zUdeUUhCAwbWupK/VyvaEEjZesWX5V rjeVtJpSO6826xda9RXbX5xpZ82fTtp/65+T2SGMhMO2LndEiw2IMeWz/Spxv0pn2NMma+F6 jhI5itbva3dN7dXZqTYJPF2EoRco91a0VkzhRp6HATVObq1LNhROi+FP7azxqlavVlnkRdx+ CUwd2VeNM7YKhJCks3vuS9qLV/TnLCcF4pwQknRuOSKMuOMzb8UC4XuhFXnBgcUdt9iMRy9Z 9YwN+YHVq7VzVq22mqetao39sYo/J+GaLTk+zXJT82v1E9tg16MFQ/LjtWwCC1o/Z36tXP1J gifc95VwLWw7rFBNyWP8J2mj1Yo7PzHETnnPd7xCH0X33JVlxuRoqFzFCh+R2tw1K74I7EKT jJ1iIco1Jag9Qyv3WIG6Xj4v17JGX8a776jeNrLsiu7wjSh20ihflGtP6fyNWWSasWq5jn2R EYaHUMFsyHkQNj9426iVMtJ4SuX5wg30Qr9o7vQpWchdY+ntc7p6uYa5ah5RgkdhV/g28ojD Vk5ZGH29fPaqOMfH9YpzUCvXahDToJ5XBqpOqNoRChP6GHW8OBJ1Wmip0OsSooVpDXNu6+fP kEEbHG0AksVm3r5UFIVhvWRn0DjV5xs62nS18kVxG+WE0DlA5NuuLpXWszP+eOc0sZFrj1vd iMCVzZIqWQtuiACDxkRlXLIfd1YQbbld8cKU4idZF7yEFakFi90kCjHrZZoKuiXC1slJgiVK 29N5ZJFUVLZhUPFjrSyLwoOrK9HBxwDuxTKgbI7fBlaLSVyrUpFpOW617AVmJVFjxdb8wEL3 0aHFlBopkhPHCp5lgbL2ESMOh8alKUn4PnF2jyvueEDLUoFUOdytJASFEcQFz4zBtCKMgLue C6g4hm0oAjRUBvpZLo4HdYoReXrk+dvwK7wVqb6FwXUU+SFYBB/r7bKse07lcmWKcL3haVu/ g0ef28LxPPcrTB6R/ZVcGmKLnkXWluLtoKz54XdwCxW5DLyNiNbCciMSk+grjH+uRmEMaffP MO9uQR/vYCt6rq2/YgxyPyt64IUhdMJXd/wx5ZebJ0N/ctK57LdL0jUqEazdXZy1S406k/lu V53MtVv13dvxtDdL6Nj/pORx8aDfVUcztV16wZQ/qYtBJyuZTMcTdTrvq6j6IsNO1dl82u/O Y9xg1tG6nbh12zptntYYt8MmhJxhlNbeTxLF8Qw4Tsvo4nzPdF6twc3QHcvXLSacba26qe2Z cMNa47yapDUmwtqrxoVMzi7YyrmAI7I2uELrYTP5vdhXM8DBhMG9CbwGiwILvljEtuFS4VvD 8tjO4hf1/T5NE3YOzoo4yBrFgEZz7WY8xHTI1Qnh1QkoiAglk073Rq1rw3FvMaApgWFcu5qO Xc4IfIjBEOupr4UWrh19CUfR2huM67TgIWbG4qEk1uAFWDqLm8jRgKGLEtBYOikkVnxrR0lu ZdlpjynJwxHJg2YG3tYv0K29MC3y7l0RJDBpOQI9yzUELQsYZ7pp0c9gBt/RT1uFMsFG3TB0 Y/NIMMMK8As3WlxHuDsm9r4ViBBpRCxi5zLiIKFIMIn5wprp9tYQSFceJMLUYttLIBbLEU5S zYHHKj+aw01MmCtML7Kk/MCBvYckYMZFhP6tFQt9ATNqMri40Takuf+wFRpGQuMkjimNAo5x 7GhG4onHyk67N7kQLebj7kDtjNqlg0Dh5Xg8x4bvTLQFCYmOPYSGdU8yT3oB8k0mmMUOphbx wBRRqMXZhtZ8vqCunTMHC2ZR1TR0YD7fa7FDwHyMdh8BwZT3VsQUL9BLJ93OYNC/nna0K7Uz X0xpF27E3mL3XmCEbGV798yHt8vgcqMrmggEWRFf2liXDSaLsw0Plpi7ZcCx5ltEArQTvABN Xy76g167lMQsvq7ELgnUIgqvBp1rdKY4PNDXbRcLsBNMGdeZ4lu+SAk0OYdERjOZ4PaNOmGQ 5ChSUoojMTfj2fxzvVJZ2uYXKGQPz5Tvsw7iHq2zi7PHDdBKaz110HnXLp0iPx4M1O4c8dpg cd0fYcjGKl7nFdex4sEHbFFu0A6lwCkIDHIGWYj4CyYlxPaN2+jP+uOR1r8ejaekSshGQeNs sQ6VF+xF2T/8rHu/shff+4eybvMwZC8qRuD5lluW+142Mp5eXV9et0vV14lwv66dJgVzdTps l4L9LlL2vkPI0VX/mhT2XCXNXBGRnpgXa3nWpG8gvNXK0mGRA88MuFMJ43yQEMaaTvDwoAQh L+IwUb5Z+QAH1FpZwihH++hxj9qwM7uNu63oiN4gZqCFnRNhmSSbyRJIadmIwZXnRmH8LRCY BTB2IgNhgyUR4/y1X+E+zU9dAYzwrQJlo5B23YlKTgPt9eVy+/PlgdgZwke/y61lJ8wmQVbK ewgRQxAsYWwMR+qwJLd3VhUKN7cQvLLBo7TO4xKxOi7Z+obD/WMc/O46yfxkocViE9t2w4WU yy+YZ46zpx+BvufrsHkhpgu/On0a9CFRvLv7mgT31KvOYjDXig5Frz+bSMloVWVm3utPE8OY OCwVGIGI1Dw0pdrrz8dpOeK3ys4C8ro/b2gzFKjaF2qTy9VQQmxGqqAN+9PpeKotpv02uWfw zqSbREpbri61rpPLjk8FnQz6l912SUZCyA3V6TV6SwY0nsxp3Ai0sK6mRwZCic9blljpsH1A lmzg1oW/tYnJCAoJH27whde39DCrCiJE2wvabtbH28501B9dpwqkhmlSJ1P1qn/XLgGcwnZg xKWTq0yB5hOeq3DI/9YRimHBsYfWxuD8jalAl4Qwya5xYLFxVCC5kdAjxVqR+yKFkYxwRJYZ dlfuWCXOrKy9zeXMQlXB7ijk78J63oewMQG3bWErK2y1NRxKAau4EzKYZGkX5CUYLNn4LFz5 2OdkTwJLh1flbrD7XDQAO4vqyj0PXGDjniTfacYL/DVCBml54/4IghO7k0DagYSJwzTWVEzf ZHseRQFN1Lx70x0Ph50R7NM9jChTItZgypydVbEoPuYPm1lZRT42NCt9/1uyVT9Vvv/tqj9Q P5UIic0EQOFJ1OCZ2S6kJuPZKEsFXuxQm87ejbC3YvYUvpvkbT3X06Pas6v5pF2Sh2aKzkr7 9i/f/1b/LlzJPf2JvWa0pQm5/+GHygtCEFOEoILvvnvRKhJR+kNLkv38M0sQn1ibQKr3if36 K/vDH+I2QCR23Ga/lAwBGwPXFGMPw7Xm+VHY/hFVGp9++qVEZHuhM+Ipbaf1R2WStfkJLQBO a/78p18/oZbEye5bFWL/uxeVFF37pVSKm/vyUgCYwJR1IEez2Y2U06fzN7t5ZvrC9T9l9mha knWHTVy3fymh58Ic+YUpotn8pRRvkK/NTdzmXzc5z+iRwfxW6427uXaNzbbhwcza0UaplRvl hhKcVtaRgwjnutvVZhO1OyMVda2O5uNxom+BSbRt7VW9XDu7KNfL9cQSO9Bi15NZT1r8MZwQ qbfWUBZrxq2d4TDBg2jtUHAgoDAdioVWu9oFMzmZyCSB78BMP9RlMGHJebDgkcOGRZtGA/Ed 9AZnLvSMz1y+0z2HebqABiEVFTDPNsLogLDGc2WwFUS6U6s2d/UMgsWzAoQCmwOa/cDCLTQX 3OCgziLLId0fhWia2pesRhQkLm1SQcs9RjhdXML168yvxtMhRujrsZO+9Dz4PElcGMSZxexm MIaP2C5dIQpWgfkLWQCYgP7oajzpzG+OloO8hFbRq9J1BQ4CrzzjuFbkueWTKumZ6Ofr0Smp rEZMTBZzGKY3CO8xEseDjmUbcVh6CDaoeDZHMJE4bpmvWAnlBQcRINzR+sPJoN/tw4jxpaXF PZLFgHlJEkVfI5JIM+YWFqx08ufOm043cQcLx/lKvaJvgwD7SYm7UXaOdBSIRo+rpcH3N1RF hd7t76K/VacjddAuyQkrnQw6I7jXwtWuL8vbaHUBTLeXT9mSHwK4+jp5qQ9JctZoMNPesLXR bJ5fVJm9rNfOmK0bThWb14n2XrBkLroOYXnhxkXUpjZUZzNIMtrsIt9LZfit/VIZ15hM4Woo rhCGMDKKPJpiwl4ls5+XJnEVlTXqT0vjEEvWtBoXZygBE0CFV1NreAeNFq6tVcRO44LxRMVG /gh/ISStUoae+yGMi7RO701n1FVJ9OHcjLtEDlVTQ3H/Elon5VOGGhlSsgeUDMJSHDEFXIK6 Xqiz+dVMeyIrchutQjj7PiJ0F0GLpJ+q46srrI2m3s3VEUVYJKLkv1CARisfetANOQYCD6F/ EHAiIKqjDu2UWHoHM00GUjOy7O1qy7Da1drrRrNluxI4aznrdrXa8q12s/q60WiFnsSftowU WBpx0etqraUXYDiIIKievm6cv27WWo51lA237QQw243q62ajpXMJ1FrRvQTqLQ9AkwDYLSJu tsRedlpvvShDl0m4RrD5kMFw6wvw+5yG5zT2mufwQ7MArwuwkxNFdl452hfgBy+Hz3P8g+Xn cAb9JYOMHFlg3Q4KcBHMOyn0/YBZyfkoZJYP9QKc0xzD9ULlnC+xzODAdzL4fWGy7wuwKMBh AQ4KMC8Mhesi59/Lh6X7Vp4pzGNhQnSes3Zv5ayF9zlsFGARGjn7vplsVoJFnnGKJc5RkWmt Mnjp+BnsL50cNguwn8ORyTN4X6DfF2kK7QPOM76bMxHujuCHnNcCka/vc7y3y+Hi2I5GXS8Q bXIYQUfOn1cYm+M3c7hZ7KGQ2XnLDP4QZaC7LXTg5DAP8yEHTgHc5c2sbD2n31kFfBHO2zTt DDRycK/nPe3vjQw+FDjTC6MVzqowC7sCnM+zvsJ0VmNNRJY2yxhyKdOMp2cwVHAGI7rKYJ8j 3spzRl4bMXkKRqT4UngfZTDncQdnBG8zcGUX8E6T57BlFGErz2wKRH6jAOcNeaaZwUFOfs93 BZIcT3dyWSb09xm8D/1VkimdDDu3anIy8f6csqMJPASYVYe7PoLSIMFJy/gtfhTqtQoXSrEh zZDPZr/BBX1U4xs90JwXupuzwV2zyME3DqfSKpxgJud1hMbMLAbzPhwCOqzKrrX25ORkJfEd FZy50bt2CUwuraj8QvJgMG/5XujRM8R98gcq0kFhlGRuMeUTMAY2hqi8KJZkiDj7ITouTvNx 7q5Wm54VizPEU6bUO3U4gQP+Iz12Of2INaMfndZ8TFfjI+J7yw+F0vgIQ7Y1PyYHGx+3hth9 TDz6jzqdPn6Mbx8Uim0/0sr8VDoZqfNLtUO+FPctBExUm+muwUz4SrsDM8MV3VC48A2ZRdce dLVmRQf2vi4Eo4Vkjre0bEK5S4aVomMkOnwKWOhxtkOj3IaSpdMdRHSO5xIU7vQks6ewdDSW Dlm7FAVbRLWJp0cBiDpEkNqZw92TzmN6kA2aQW/ytpdFZOTDXg8oQKVgul2CL24q+xr81ES0 soNJcnMJm7mdicygrChDWTYvkECclR/Pj3Ky5+SB1oq6lOL0eTIEx0p6rJZhBYKu5xooSBVK aCB3iOOmt/0RhRV3c2BuJtq8M71WScGQ6CgISye3109PYH2ub5DSdCTHDXQbNujTpQy3/TVn sXTJr7JahkYCSi4Z+KZfniNS+iaYte9zZnFgnbOLjfyQVx4xBxuWuZYX1pmPKBs/hVNQidTh uhcSRLEmfZO2AivUdyxsvKoyhCehD483/sZsxSAiAA7COIeqaX4PWD+Y94hVCYz72BcJLs7o lxEBlM0SEPdPUFIPUKGeggp0Q5zO4GV/VIxpaLmy6Y5vBcvNnLo7HiKwQpyl3nUHi56qzRbY +3cULeqQOPhjbB05P9u//hd77/8sfv0vk73H9BgrBo+p2AxdyGQnzim6p14u6A6piJl06SY7 3gt0FiqvnCrCWFYM4eeEKmImrTvozGbEi7zlkAe9Igi8gG5q2Qf+iHrY6Q+upuMhNl084D9l 5/bPUM4Wl3+W11U/J9S/JofYsvEVOvn+t0mne4tKnxj0xPe/0V3ep2daoouCJLI7Kpu9m81V cBPynciL5Amjhino3s4WQ20+fZcfgJ0+JsPSLIYqCEbarP8XqJXGafU2J7ruQwHVTwvzez25 1vK5pcWPT9Aq5kYcwgo+geWaYYpNbriO69+qsFrVvdp5dXHRxN+ry85VtaMeE8361/LyITsa pzNzxPWW6SKJbxMUbpsem9106qdndH+BvoKE4CDohiO5WlTAVvHMMWGCDsyVtecIuj1/VEwH l/KcMj34TgvpaCmel+oj5OIJcq5OR52BRvfaanymkJaN36jTaR/iULhQScsm74aPBIw8hFS0 KqEVCeWpYpu8m9+MR7+/nrwByK6RAkGnO/LyjPSCvCYK+UpkmfiqRFEiemyL1HOsCKsRZAhY PTqiIBB7XKeG7teeLRT5YIOWxBYRAfSOgajWW7g96JgbdJOfNO1to3btgu4/xF6+pWjnt2lF pBTAIiIdYBFHL5oeD3iqwgEhyVcKqyJL6OSQBKGwkvPhJN/zkVPQIljGyzG9nCi08nY8vaXz oOG4h4LqebXQ0l1nPp+murBdWkbBKiy/YCFNOzyMstg5ecZyOPuPLBeKWFHHHk/ZXYVNjet2 3LYGfVAQy/z656hYS55+rCz4P48pmXxDxlbsP5lCD8BZuHUcHhwornnBFIeWhf0R5ilZQrQ8 VQf90a3crOkdeb7zNvF9ZeKwaP2ZdtOZwmNVe/FsJfjxaPBOe9OZ9juX8t0RGWgmrzzZ0SEt i483GXDTARQCAZjICd2jZDQF3GIUS5Z6RPmmM1ioM+kFPIOOu32Kz7t+VJAyg+FIV026U4Fe SY5gY5nsjUfzt9P+XL18N1e7clPU0jKoOXh1auLOwLCk72oygtzRyV7WFIj+Wx0utNn4aj5E mpGS30LHoiw9N5VkxOyXaKDWpp3JTb87Sw1LIJ/olU5iK/HoklL/B99THnX6+y8qj6v/+6bt +KYt86QISIzG/wlvfzoZPnXjA3oFNF1cvsu3b7BdHuo1JpN66WR2ow4GqEWt0zITZvAGGETN s3dDqaYg3Mmrt8IDo+S1mwIPQj5/QGEfDtFs/o6MAD0t3yu255qKFXqlk8UovVn6zOMnuauD rZtub32DSmQf7hg/rTPoa3pAmoUd8XMfRo84I/mPT6T5hHalF4BLEWyMJVs+WH6d6RwRhW4E DMEw0+mVH8XbenDwEc2GugfNTf40PeAzAosZuyV+IF9xh61WdFDI6IoneYho0tNK8r1hGRlW J7LhivtAhREMsYPQ1kSv+cs9zJG7Y7BHppAvFTfM8ndniI4B0fmq/NQBb8PIWh2YTfaD9D/X ET7TizIOxxdelrMmGXRckyVzxjBcfkCH2XPB9H7JBU+uH9nMM01G/2DEtGXi+EcPCfVAMN8S FC4wciKw42C6eGiz0LDJltKMIoV2wpyGBHtbmL+QXn58sOUTS5nQayJUCEGwXe5EENPvTDK4 OwtRXKT7BqNDXUZBvDSW6VvJbcBdw3PYrmmzneXQe5SI79nOC5YURNXpAIeee7A9cRc/fNzv 8Ncy2AMdjLBHr5vZv9rTY/bvB8b/og+M2T/u2S77OzxYZX+HF4bs6Ake+5d/KcK++FKEffnx BTt+h8D+Aa8O2N92Xc6+4fiVPXfIyL7mtLNvcdrZtznt7BucdvYlpygLldql69GixN70e+o4 tSlYBQGR2wk4I6633Qm+LbG7uQzCtE6vJ6fzw9aLeJ35ocF8+HPYqnaoQ5JtGONoXScnoAmv USpnOqKP8PXrPrOkdJrCwxZbbR8e5BtPuDikdiJBwh/4cDwgoRBghBgI4QN+7/KIFBhiTnIv ZGKsdQA69KZUd/qae9D0MOlbOpGk8aUHY8djPclDNUSUMK3D/mQmbexk0pXpjA5aE6NbMLaP zVSenwxnuaZD0+q0L7fOIFN7TxUhMEN12pk90WMFpdSZDo9VFOtOx7MZnZvK8BgOO+supgO4 74MkLlZH6OYGu54YyDi9upqPoY4eaadHonwsu2lMPahVR0U5/Yx8AT26XnQonXZz2sGbYboF 2XA8ulXf5eNMb18yLkdA36U57WY+nzxC0YHnI9RsPlU7Q0itCg6n/TfqdPa8CDO6JMG8aVed yyni2Cwvq2arkmIx8wUpf1a4Hwn0s6L7VFAZVjB7FnUko2zWGanaZad7q46w2/LDjLez6342 awVJZW/GGCdNinxmjgbZ3RUGnpIei2xx42s3/V6P3j19fv8/2oVP9l283R4dvBz1kT+hK5zb fKlCfiwTVzkqLJzO/NX3M7/jTubRDczTW5rP3skUblY+e0fzz7iT+cwRFqa2f8eWULfw+bpx 8z0eyCTgpude2Qd2FQhxOevF/88Eu5ks7lifDCVmgByEe/pGFJA5W8RFIxER8RgBGKWzrTue sa0u6779HDOpJ0DcJP2nvdL/2CCXRXYcD/fZPj7beK7xiTjT+uNpj6wCXNqWvzFb8v8ESLz7 kDDpP2tr0f8Q0ZL/aKd08lXTePK2P+qN38rrkEb17OLs/CLFxacn56WTu84CumLan79LLm0r 5bvYkbWiA4p718k1VnoVTy8F9oYZF/U6805a8OihQ+GNAmj/f9nok/8FKsnv4g1FAAA= --ew6BAiZeqk4r7MaW-- --zx4FCpZtqtKETZ7O Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/PEyRe0kfc5EOFW36piEiE+68K4FAlkQ/7QACgkQ6piEiE+6 8K5esQ//QHaz5GKy6X3WOCAnj4uB0vZ2PPOqSDSMx52gFRFPHpu7VEJhA4rX7Unz 1Aj3CIkZEUtl9ElsAJ9mlZA3Z2U5AQM70JazBVZPQBEtNN0NPeBWC4f86IChy1Gc OXdqZfmgRg074dlTzHYGt2aJ1Yt6dAeEWJ5f868TFJZn2z9afxgmx9i34mUK2hGk 2pmWLO+De+dnJuzAARd8D0vLeuuHZ/+vfMr1Jy+ELawcg6mrIi6gIUK1t22m6WI2 +SgTkYcDzO8QNEB2cLk4WQrgZcU3r6RaW6YI2oI1O24Oc1kTK1qffy23bPZp49jd QEYfmUCFoyjZiKtQBfcuaTsSJ8cw+dZw9RK7/KCxfhoUe7prd4m4hfWfJfv1lYDr NGIHyufkdamH3VTN7cPKTfYARhdLPkX/+MHho/8gRyDofIYPMZhraNB7xC7Pcz+q 1ecXhkjvCosa/vro8+97r3yybAsL61RHfRi+gCJmdz96empN+kgkvOVCY99+rlq+ 8suBNY/6aihd8h56ixStNFk1n7nGhcogVTY7Vn1sNROKy99Z3BC8p0PxwpcgVRtx ChMnlGyLAd083OezVuEOd8Zp53m+MzAViiBYp4NXamQ4jJfvGCe5+qwTUmKHAu/a KFojErb5GFD0le7LIi+5nQRr0mQhU/Dp34B3Kyx5npK7052AgYM= =GQdn -----END PGP SIGNATURE----- --zx4FCpZtqtKETZ7O--