snap-confine-2.55.3-1.el7> 6 6`d63!}|J^>j/5,dbT,= j/5,d =; fglm1[Nty(԰6~(ũc{o:2F 3L\8zBeZƯ{x_,qk="X=vpyx2|KFY$[%.oc6SAp(1o_IB$,vY9XxAҌ?r< ( /B W%-׬\h?]NQtz%v²ozXWw!Yg(esƴəc!ѷ[usmGbs2G3ufڨc jĺAe+4-PD;6Ec{0K>VIuFj/5,dbT,= j/5,dKy ՗Ok9;WZtopF}7H^r$CvfeŨnW@υXA[!TEq Ae~{>F!=>ܞHH.)V>W 5<>΍d)qyjTpOu0>f< v*xJ4PLZOYb@<+A20+{˘_eSi 9ӈ/]ڏz^*إ:<5HDuRp6y>!,<8MAHPyFVC|85Ȟ|ZjǰevlDžak/x#s,cHѰ売Iin}*:u^`&@Ll4CU}-o0F_gvxzR~ Q[DuΦ"&?w9@ ;1KWFj}Q(WK=Cژ0oImu >=i?id  E  9?H     (h$d ( 8 9 :1(B^G^,H^lI^X^Y^Z^[^\^]_,^` b`daeafalatauavb, whxhHyh?iiCsnap-confine2.55.31.el7Confinement system for snap applicationsThis package is used internally by snapd to apply confinement to the started snap applications.bT(#buildvm-x86-17.iad2.fedoraproject.orgBFedora ProjectFedora ProjectGPLv3Fedora ProjectUnspecifiedhttps://github.com/snapcore/snapdlinuxx86_64p@xqp"-hTK AA큤A큤@IbT(bT(bT(bT(bT(bT(bT(bT(bT(bT(bPKCbT(bPKCbT(bT(bT(5365c58917b5c62afb87fa26b8f501c9be8efc2f02acf5f14a20a4fa3b3936aaebc6b911292971f24290f80c26cc4311b896ffea05a62d3f75e6a1e94ca1b653899ae71f98dbfe37390cf62474fae732ab1333fb9295b32d5acda9849d135c5c2d125e16b8e656626fd2c7f892b6240ad0d24884f679de885b722d59f46d21db52385a9e2f6822bed8c694d829034b208e32d01252814df1d03a6756dfb46b8caeace43bc2e5901b1de818e786f9b8c83c0cb624bbc9c1640b9cde259f0010f4814d02722825ce12bb964e6860bda098c6420d3cdf65ccf4f1f1d56f1fdb6d1a9e62ba43060de1a95e68fae4f9de4674f7303e38e7ac75907ef346a1dd640434c589535706d9d3ac8ecdecc1919c86e823f29e0be3c33c61c4c94aa301643a618ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b9031b2e4550c56f0254fdb2bb5f496e6f3da2b8bbe00ce1a8be561080ed31a9466ad7c6f29e9938fa425d74c015c26ebf8ddf40b3c63ba0ce2c869b21c31c89eb5brootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsnapd-2.55.3-1.el7.src.rpmsnap-confinesnap-confine(x86-64)@@@@@@@@@@@@@@@@@@@@@@   @ libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libc.so.6(GLIBC_2.8)(64bit)libc.so.6(GLIBC_2.9)(64bit)libcap.so.2()(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libgcc_s.so.1(GCC_3.3.1)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libpthread.so.0(GLIBC_2.3.2)(64bit)libseccomp.so.2()(64bit)libselinux.so.1()(64bit)libudev.so.1()(64bit)libudev.so.1(LIBUDEV_183)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.11.3bT@bP#bMb8hb8hb8hb+9b b8b a@aaaɪap@a{a@a@a@aaaKa(@a(@aqV@a\>@a\>@aTU@a2@a/k@a(aGaS@aa`@`@``@`Ȗ@`````@`]`F`>(`+`%@`#`>`U_I@_إ@_@_^@_E@_~@_s!_R,@_D@_)M_%Y@_!d_ @___X@^(@^3^^^_^^v^p^E:@^C^2@^0"@^@^]B]߶]e@]@]*]µ]{@])]4@]?]nU]i]:@](v@] ]@\\\]@\t@\!\-@\@\C@\|\|\w@\w@\v{\k\j@\Z@\Z@\V\P@@\?\@\@[[H[H[@[v[@[^[ā@[R@[R@[["@[D[z@[[ @[P}@[M@[I[?Y[,[+@[oZ@ZZZZԐ@ZJ@ZZZZZx@ZZ=Zw@Z1@ZZ Z}@ZyZiZ7Z6\@Zr@Zr@Z@ZC@YZ@YZ@Y@Y@Y@YYY@YYYܶ@Y@Y˒YY)@Y4Y@@YYYY3Y3Y3YYYJYJY@YyY&@Y!@Y;@Y#@X@X@Xߖ@XDX@XۡXƉXX`@XWu@W:W@W@W@W@W@W@W@W@W@W@Wm Wc@W_WZMaciek Borzecki - 2.55.3-1Michael Vogt Maciek Borzecki - 2.55.2-1Ian Johnson Ian Johnson Ian Johnson Maciek Borzecki - 2.54.4-1Michael Vogt Maciek Borzecki - 2.54.3-1Michael Vogt Maciek Borzecki - 2.54.2-1Fedora Release Engineering - 2.54.1-2Ian Johnson Maciek Borzecki - 2.54.1-1Michael Vogt Michael Vogt Maciek Borzecki - 2.53.4-1Ian Johnson Ian Johnson Maciek Borzecki - 2.53.2-2Maciek Borzecki - 2.53.2-1Ian Johnson Maciek Borzecki - 2.53.1-2Maciek Borzecki - 2.53.1-1Ian Johnson Michael Vogt Michael Vogt Maciek Borzecki - 2.52-1Ian Johnson Maciek Borzecki - 2.51.7-1Ian Johnson Ian Johnson Ian Johnson Ian Johnson Maciek Borzecki - 2.51-4Maciek Borzecki - 2.51-3Fedora Release Engineering - 2.51-2Ian Johnson Michael Vogt Michael Vogt Maciek Borzecki - 2.51-1Ian Johnson Ian Johnson Maciek Borzecki - 2.50-1Michael Vogt Michael Vogt Michael Vogt Zbigniew Jędrzejewski-Szmek - 2.49-3Maciek Borzecki - 2.49-2Maciek Borzecki - 2.49-1Michael Vogt Maciek Borzecki - 2.48.2-3Fedora Release Engineering - 2.48.2-2Maciek Borzecki - 2.48.2-1Michael Vogt Michael Vogt Michael Vogt Maciek Borzecki - 2.47.1-1Michael Vogt Michael Vogt Michael Vogt Michael Vogt Maciek Borzecki - 2.45.3.1-1Fedora Release Engineering - 2.45.2-3Fedora Release Engineering - 2.45.2-2Samuele Pedroni Zygmunt Krynicki Maciek Borzecki - 2.45.2-1Michael Vogt Maciek Borzecki - 2.45.1-1Michael Vogt Maciek Borzecki - 2.45-1Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Maciek Borzecki - 2.43.3-1Michael Vogt Fedora Release Engineering - 2.42.2-2Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Maciek Borzecki - 2.42.2-1Michael Vogt Maciek Borzecki - 2.42.1-1Michael Vogt Maciek Borzecki - 2.42-2Maciek Borzecki - 2.42-1Michael Vogt Neal Gompa - 2.41-1Michael Vogt Fedora Release Engineering - 2.39.2-2Michael Vogt Michael Vogt Neal Gompa - 2.39.2-1Maciej Borzecki - 2.39.1-2Michael Vogt Neal Gompa - 2.39.1-1Michael Vogt Neal Gompa - 2.39-1Michael Vogt Robert-André Mauchin - 2.38-3Neal Gompa - 2.38-2Neal Gompa - 2.38-1Michael Vogt Neal Gompa - 2.37.4-2Zygmunt Bazyli Krynicki - 2.37.4-1Michael Vogt Zygmunt Bazyli Krynicki - 2.37.3-1Michael Vogt Neal Gompa - 2.37.2-1Michael Vogt Fedora Release Engineering - 2.36.3-2Michael Vogt Michael Vogt Neal Gompa - 2.36.3-1Michael Vogt Michael Vogt Neal Gompa - 2.36-4Neal Gompa - 2.36-3Neal Gompa - 2.36-2Michael Vogt Neal Gompa - 2.36-1Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Neal Gompa - 2.35-1Michael Vogt Michael Vogt Michael Vogt Michael Vogt Fedora Release Engineering - 2.33.1-2Michael Vogt Neal Gompa - 2.33.1-1Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Neal Gompa - 2.32.4-1Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Neal Gompa - 2.31.1-2Neal Gompa - 2.31.1-1Michael Vogt Fedora Release Engineering - 2.30-2Michael Vogt Neal Gompa - 2.30-1Michael Vogt Neal Gompa - 2.29.4-3Neal Gompa - 2.29.4-2Neal Gompa - 2.29.4-1Michael Vogt Michael Vogt Michael Vogt Michael Vogt Michael Vogt Neal Gompa - 2.28.5-2Neal Gompa - 2.28.5-1Michael Vogt Neal Gompa - 2.28.4-1Michael Vogt Michael Vogt Michael Vogt Neal Gompa - 2.28.1-1Michael Vogt Michael Vogt Neal Gompa - 2.27.6-1Michael Vogt Neal Gompa - 2.27.5-1Michael Vogt Michael Vogt Michael Vogt Neal Gompa - 2.27.2-2Neal Gompa - 2.27.2-1Michael Vogt Neal Gompa - 2.27.1-1Michael Vogt Neal Gompa - 2.27-1Michael Vogt Fedora Release Engineering - 2.26.3-5Fedora Release Engineering - 2.26.3-4Neal Gompa - 2.26.3-3Neal Gompa - 2.26.3-2Neal Gompa - 2.26.3-1Neal Gompa - 2.25-1Neal Gompa - 2.24-1Neal Gompa - 2.23.6-4Neal Gompa - 2.23.6-3Neal Gompa - 2.23.6-2Neal Gompa - 2.23.6-1Neal Gompa - 2.23.5-1Neal Gompa - 2.23.1-1Fedora Release Engineering - 2.16-2Zygmunt Krynicki - 2.16-1Neal Gompa - 2.14-2Zygmunt Krynicki - 2.14-1Zygmunt Krynicki - 2.13-1Zygmunt Krynicki - 2.12-2Zygmunt Krynicki - 2.12-1Zygmunt Krynicki - 2.11-8Zygmunt Krynicki - 2.11-7Zygmunt Krynicki - 2.11-6Zygmunt Krynicki - 2.11-5Zygmunt Krynicki - 2.11-4Zygmunt Krynicki - 2.11-3Zygmunt Krynicki - 2.11-2Zygmunt Krynicki - 2.11-1Zygmunt Krynicki - 2.0.9-2Zygmunt Krynicki - 2.0.9Zygmunt Krynicki - 2.0.8.1Zygmunt Krynicki - 2.0.8- Release 2.55.3 to Fedora- New upstream release 2.55.3 - cmd/snap-update-ns: apply content mounts before layouts - many: change "transactional" flag to a "transaction" option - b/piboot.go: check EEPROM version for RPi4 - snap/quota,spread: raise lower memory quota limit to 640kb - boot,bootloader: add missing grub.cfg assets mocks in some tests - many: support --ignore-running with refresh many - cmd/snap,wrappers: fix wrong implementation of zero count cpu quota - quota: add some more unit tests around Resource.Change() - quota: detect/error if cpu-set is used with cgroup v1 - quota: add test for `Resource.clone() - cmd/snap,client: frontend for cpu/thread quotas - tests: update spread test to check right XDG dirs - snap: set XDG env vars to new dirs - o/snapstate: initialize XDG dirs in HOME migration - i/b/kernel_module_load: expand $SNAP_COMMON in module options - overlord: add missing grub.cfg assets mocks in manager_tests.go - o/snapstate: account for repeat migration in ~/Snap undo - b/a: do not set console in kernel command line for arm64 - sandbox: improve error message from `ProbeCgroupVersion()` - tests/main/snap-quota-groups: fix spread test - interfaces: add pkcs11 interface - o/snapstate: undo migration on 'snap revert' - overlord: snapshot exclusions - interfaces: add private /dev/shm support to shared-memory interface - packaging: install Go snap from 1.17 channel in the integration tests - snap-exec: fix detection if `cups` interface is connected - bootloader/piboot: add support for armhf - interfaces/system-packages-doc: allow read-only access to /usr/share/libreoffice/help - daemon: add a /v2/accessories/changes/{ID} endpoint - interfaces/appstream-metadata: Re-create app-info links to swcatalog - tests/main/snap-quota-groups: add 219 as possible exit code - store: set validation-sets on actions when refreshing - interfaces/appstream-metadata: Support new swcatalog directory names - asserts,interfaces/policy: slot-snap-id allow-installation constraints - i/b/network-manager: change rule for ResolveAddress to check only label - cmd/snap-bootstrap: support booting into factory-reset mode - systemd: do not reload system when enabling/disabling services- Release 2.55.2 to Fedora- New upstream release 2.55.2 - cmd/snap-update-ns: actually use entirely non-existent dirs- New upstream release 2.55.1 - cmd/snap-update-ns/change_test.go: use non-exist name foo-runtime instead- New upstream release 2.55 - kernel/fde: add PartitionName to various structs - osutil/disks: calculate the last usable LBA instead of reading it - snap/quota: additional validation in resources.go - o/snapstate: avoid setting up single reboot when update includes base, kernel and gadget - overlord/state: add helper for aborting unready lanes - snap-bootstrap: Partially revert simplifications of mount dependencies - cmd/snap-update-ns/change.go: sort needed, desired and not reused mount entries - cmd/snap-preseed, image: move preseeding code to image/preseed - interfaces/docker-support: make generic rules not conflict with snap-confine - i/b/modem-manager: provide access to ObjectManager - i/b/network_{control,manager}.go: add more access to resolved - overlord/state: drop unused lanes field - cmd/snap: make 1.18 vet happy - o/snapstate: allow installing the snapd-desktop-integration snap even if the user-daemons feature is otherwise disabled - snap/quota: fix bug in quota group tree validation code - o/snapstate: make sure that snapd is a prerequisite for updating base snaps - bootloader: add support for piboot - i/seccomp/template.go: add close_range to the allowed syscalls - snap: add new cpu quotas - boot: support factory-reset when sealing and resealing - tests: fix test to avoid editing the test-snapd-tools snap.yaml file - dirs: remove unused SnapMetaDir variable - overlord: extend single reboot test to include a non-base, non- kernel snap - github: replace "sanity check" with "quick check" in workflow - fde: add new DeviceUnlock() call - many: replace use of "sanity" with more inclusive naming in comments - asserts: minimal changes to disable authority-delegation before full revert - tests: updating the test-snapd-cups-control-consumer snap to core20 based - many: replace use of "sanity" for interface implementation checks - cmd/snap-preseed: support for core20 preseeding - cmd: set core22 migration related env vars and update spread test - interface/opengl: allow read on /proc/sys/dev/i915/perf_stream_paranoid - tests/lib/tools/report-mongodb: fix typo in help text - tests: Include the source github url as part of the mongo db issues - o/devicestate: split mocks to separate calls for creating a model and a gadget - snap: Add missing zlib - cmd/snap: add support for rebooting to factory-reset - interfaces/apparmor: Update base template for systemd-machined - i/a/template.go: add ld path for jammy - o/devicestate, daemon: introduce factory-reset mode, allow switching - o/state: fix undo with independent tasks in same change and lane - tests: validate tests tools just on google and qemu backends - tests/lib/external/snapd-testing-tools: update from upstream - tests: skip interfaces-cups-control from debian-sid - Increase the times in snapd-sigterm for arm devices - interfaces/browser-support: allow RealtimeKit's MakeThreadRealtimeWithPID - cmd: misc analyzer fixes - interfaces/builtin/account-control: allow to execute pam_tally2 - tests/main/user-session-env: special case bash profile on Tumbleweed - o/snapstate: implement transactional lanes for prereqs - o/snapstate: add core22 migration logic - tests/main/mount-ns: unmount /run/qemu - release: 2.54.4 changelog to master - gadget: add buildVolumeStructureToLocation, volumeStructureToLocationMap - interfaces/apparmor: add missing unit tests for special devmode rules/behavior - cmd/snap-confine: coverity fixes - interfaces/systemd: use batch systemd operations - tests: small adjustments to fix vuln spread tests - osutil/disks: trigger udev on the partition device node - interfaces/network-control: add D-Bus rules for resolved too - interfaces/cpu-control: add extra idleruntime data/reset files to cpu-control - packaging/ubuntu-16.04/rules: don't run unit tests on riscv64 - data/selinux: allow the snap command to run systemctl - boot: mock amd64 arch for mabootable 20 suite - testutil: add Backup helper to save/restore values, usually for mocking - tests/nested/core/core20-reinstall-partitions: update test summary - asserts: return an explicit error when key cannot be found - interfaces: custom-device - Fix snap-run-gdbserver test by retrying the check - overlord, boot: fix unit tests on arches other than amd64 - Get lxd snap from candidate channel - bootloader: allow different names for the grub binary in different archs - cmd/snap-mgmt, packaging: trigger daemon reload after purging unit files - tests: add test to ensure consecutive refreshes do garbage collection of old revs - o/snapstate: deal with potentially invalid type of refresh.retain value due to lax validation - seed,image: changes necessary for ubuntu-image to support preseeding extra snaps in classic images - tests: add debugging to snap-confine-tmp-mount - o/snapstate: add ~/Snap init related to backend - data/env: cosmetic tweak for fish - tests: include new testing tools and utils - wrappers: do not reload the deamon or restart snapd services when preseeding on core - Fix smoke/install test for other architectures than pc - tests: skip boot loader check during testing preparation on s390x - t/m/interfaces-network-manager: use different channel depending on system - o/devicestate: pick system from seed systems/ for preseeding (1/N) - asserts: add preseed assertion type - data/env: more workarounds for even older fish shells, provide reasonable defaults - tests/main/snap-run-devmode-classic: reinstall snapcraft to clean up - gadget/update.go: add buildNewVolumeToDeviceMapping for existing devices - tests: allow run spread tests using a private ppaTo validate it - interfaces/{cpu,power}-control: add more accesses for commercial device tuning - gadget: add searchForVolumeWithTraits + tests - gadget/install: measure and save disk volume traits during install.Run() - tests: fix "undo purging" step in snap-run-devmode-classic - many: move call to shutdown to the boot package - spread.yaml: add core22 version of rsync to skip - overlord, o/snapstate: fix mocking on systems without /snap - many: move boot.Device to snap.Device - tests: smoke test support for core22 - tests/nested/snapd-removes-vulnerable-snap-confine-revs: use newer snaps - snapstate: make "remove vulnerable version" message more friendly - o/devicestate/firstboot_preseed_test.go: remove deadcode - o/devicestate: preseeding test cleanup - gadget: refactor StructureEncryption to have a concrete type instead of map - tests: add created_at timestamp to mongo issues - tests: fix security-udev-input-subsystem test - o/devicestate/handlers_install.go: use --all to get binary data too for logs - o/snapstate: rename "corecore" -> "core" - o/snapstate: implement transactional flag - tests: skip ~/.snap migration test on openSUSE - asserts,interfaces/policy: move and prepare DeviceScopeConstraint for reuse - asserts: fetching code should fetch authority-delegation assertions with signing keys as needed - tests: prepare and restore nested tests - asserts: first-class support for formatting/encoding signatory-id - asserts: remove unused function, fix for linter - gadget: identify/match encryption parts, include in traits info - asserts,cmd/snap-repair: support delegation when validating signatures - many: fix leftover empty snap dirs - libsnap-confine-private: string functions simplification - tests/nested/manual/core20-cloud-init-maas-signed-seed-data: add gadget variant - interfaces/u2f-devices: add U2F-TOKEN - tests/core/mem-cgroup-disabled: minor fixups - data/env: fix fish env for all versions of fish, unexport local vars, export XDG_DATA_DIRS - tests: reboot test running remodel - Add extra disk space to nested images to "avoid No space left on device" error - tests: add regression tests for disabled memory cgroup operation - many: fix issues flagged by golangci and configure it to fail build - docs: fix incorrect link - cmd/snap: rename the verbose logging flag in snap run - docs: cosmetic cleanups - cmd/snap-confine: build const data structures at compile- time - o/snapstate: reduce maxInhibition for raa by 1s to avoid confusing notification - snap-bootstrap: Cleanup dependencies in systemd mounts - interfaces/seccomp: Add rseq to base seccomp template - cmd/snap-confine: remove mention of "legacy mode" from comment - gadget/gadget_test.go: fix variable type - gadget/gadget.go: add AllDiskVolumeDeviceTraits - spread: non-functional cleanup of go1.6 legacy - cmd/snap-confine: update ambiguous comment - o/snapstate: revert migration on refresh if flag is disabled - packaging/fedora: sync with downstream, packaging improvements - tests: updated the documentation to run spread tests using external backend - osutil/mkfs: Expose more fakeroot flags - interfaces/cups: add cups-socket-directory attr, use to specify mount rules in backend - tests/main/snap-system-key: reset-failed snapd and snapd.socket - gadget/install: add unit tests for install.Run() - tests/nested/manual/remodel-cross-store,remodel-simple: wait for serial - vscode: added integrated support for MS VSCODE - cmd/snap/auto-import: use osutil.LoadMountInfo impl instead - gadget/install: add unit tests for makeFilesystem, allow mocking mkfs.Make() - systemd: batched operations - gadget/install/partition.go: include DiskIndex in synthesized OnDiskStructure - gadget/install: rm unused support for writing non-filesystem structures - cmd/snap: close refresh notifications after trying to run a snap while inhibited - o/servicestate: revert #11003 checking for memory cgroup being disabled - tests/core/failover: verify failover handling with the kernel snap - snap-confine: allow numbers in hook security tag - cmd/snap-confine: mount bpffs under /sys/fs/bpf if needed - spread: switch to CentOS 8 Stream image - overlord/servicestate: disallow mixing snaps and subgroups. - cmd/snap: add --debug to snap run - gadget: mv modelCharateristics to gadgettest.ModelCharacteristics - cmd/snap: remove use of zenity, use notifications for snap run inhibition - o/devicestate: verify that the new model is self contained before remodeling - usersession/userd: query xdg-mime to check for fallback handlers of a given scheme - gadget, gadgettest: reimplement tests to use new gadgettest examples.go file - asserts: start implementing authority-delegationTODO in later PRs: - overlord: skip manager tests on riscv for now - o/servicestate: quota group error should be more explanative when memory cgroup is disabled - i/builtin: allow modem-manager interface to access some files in sysfs - tests: ensure that interface hook works with hotplug plug - tests: fix repair test failure when run in a loop - o/snapstate: re-write state after undo migration - interfaces/opengl: add support for ARM Mali - tests: enable snap-userd-reexec on ubuntu and debian - tests: skip bind mount in snapd-snap test when the core snap in not repacked - many: add transactional flag to snapd API - tests: new Jammy image for testing - asserts: start generalizing attrMatcherGeneralization is along - tests: ensure the ca-certificates package is installed - devicestate: ensure permissions of /var/lib/snapd/void are correct - many: add altlinux support - cmd/snap-update-ns: convert some unexpected decimal file mode constants to octal. - tests: use system ubuntu-21.10-64 in nested tests - tests: skip version check on lp-1871652 for sru validation - snap/quota: add positive tests for the quota.Resources logic - asserts: start splitting out attrMatcher for reuse to constraint.go - systemd: actually test the function passed as a parameter - tests: fix snaps-state test for sru validation - many: add Transactional to snapstate.Flags - gadget: rename DiskVolume...Opts to DiskVolume...Options - tests: Handle PPAs being served from ppa.launchpadcontent.net - tests/main/cgroup-tracking-failure: Make it pass when run alone - tests: skip migration test on centOS - tests: add back systemd-timesyncd to newer debian distros - many: add conversion for interface attribute values - many: unit test fix when SNAPD_DEBUG=1 is set - gadget/install/partition.go: use device rescan trick only when gadget says to - osutil: refactoring the code exporting mocking APIs to other packages - mkversion: check that snapd is a git source tree before guessing the version - overlord: small refactoring of group quota implementation in preparation of multiple quota values - tests: drop 21.04 tests (it's EOL) - osutil/mkfs: Expose option for --lib flag in fakeroot call - cmd/snapd-apparmor: fix bad variable initialization - packaging, systemd: fix socket (re-)start race - tests: fix running tests.invariant on testflinger systems - tests: spread test snap dir migration - interfaces/shared-memory: support single wild-cards in the read/write paths - tests: cross store remodel - packaging,tests: fix running autopkgtest - spread-shellcheck: add a caching layer - tests: add jammy to spread executions - osutils: deal with ENOENT in UserMaybeSudoUser() - packaging/ubuntu-16.04/control: adjust libfuse3 dependency as suggested - gadget/update.go: add DiskTraitsFromDeviceAndValidate - tests/lib/prepare.sh: add debug kernel command line params via gadget on UC20 - check-commit-email: do not fail when current dir is not under git - configcore: implement netplan write support via dbus - run-checks, check-commit-email.py: check commit email addresses for validity - tests: setup snapd remodel testing bits - cmd/snap: adjust /cmd to migration changes - systemd: enable batched calls for systemd calls operation on units - o/ifacestate: add convenience Active() method to ConnectionState struct - o/snapstate: migrate to hidden dir on refresh/install - store: fix flaky test - i/builtin/xilinx-dma: add interface for Xilinx DMA driver - go.mod: tidy up - overlord/h/c/umount: remove handling of required parameter - systemd: add NeedDaemonReload to the unit state - mount-control: step 3 - tests/nested/manual/minimal-smoke: bump mem to 512 for unencrypted case too - gadget: fix typo with filesystem message - gadget: misc helper fixes for implicit system-data role handling - tests: fix uses of fakestore new-snap-declaration - spread-shellcheck: use safe_load rather than load with a loder - interfaces: allow access to new at-spi socket location in desktop- legacy - cmd/snap: setup tracking cgroup when invoking a service directly as a user - tests/main/snap-info: use yaml.safe_load rather than yaml.load - cmd/snap: rm unnecessary validation - tests: fix `tests/core/create-user` on testflinger pi3 - tests: fix parallel-install-basic on external UC16 devices - tests: ubuntu-image 2.0 compatibility fixes - tests/lib/prepare-restore: use go install rather than go get - cmd/snap, daemon: add debug command for getting OnDiskVolume dump - gadget: resolve index ambiguity between OnDiskStructure and LaidOutStructuretype: bare structures). - tests: workaround missing bluez snap - HACKING.md: add dbus-x11 to packages needed to run unit tests - spread.yaml: add debian-{10,11}, drop debian-9 - cmd/snap/quota: fix typo in the help message - gadget: allow gadget struct with unspecified filesystem to match part with fs - tests: re-enable kernel-module-load tests on arm - tests/lib/uc20-create-partitions/main.go: setup a logger for messages - cmd: support installing multiple local snaps - usersession: implement method to close notifications via usersession REST API - data/env: treat XDG_DATA_DIRS like PATH for fish - cmd/snap, cmd/snap-confine: extend manpage, update links - tests: fix fwupd interface test in debian sid - tests: do not run k8s smoke test on 32 bit systems - tests: fix testing in trusty qemu - packaging: merge 2.54.2 changelog back to master - overlord: fix issue with concurrent execution of two snapd processes - interfaces: add a polkit interface - gadget/install/partition.go: wait for udev settle when creating partitions too - tests: exclude interfaces-kernel-module load on arm - tests: ensure that test-snapd-kernel-module-load is removed - tests: do not test microk8s-smoke on arm - packaging, bloader, github: restore cleanliness of snapd info file; check in GA workflow - tests/lib/tools/tests.invariant: simplify check - tests/nested/manual/core20-to-core22: wait for device to be initialized before starting a remodel - build-aux/snap/snapcraft.yaml: use build-packages, don't fail dirty builds - tests/lib/tools/tests.invariant: add invariant for detecting broken snaps - tests/core/failover: replace boot-state with snap debug boot-vars - tests: fix remodel-kernel test when running on external devices - data/selinux: allow poking /proc/xen - gadget: do not crash if gadget.yaml has an empty Volumes section - i/b/mount-control: support creating tmpfs mounts - packaging: Update openSUSE spec file with apparmor-parser and datadir for fish - cmd/snap-device-helper: fix variable name typo in the unit tests - tests: fixed an issue with retrieval of the squashfuse repo - release: 2.54.1 - tests: tidy up the top-level of ubuntu-seed during tests - build-aux: detect/fix dirty git revisions while snapcraft building - release: 2.54- Release 2.54.4 to Fedora - Includes a fix for RHBZ#2062678 - Cherry pick a fix for RHBZ#2057103- New upstream release 2.54.4 - t/m/interfaces-network-manager: use different channel depending on system - many: backport attrer interface changes to 2.54 - tests: skip version check on lp-1871652 for sru validation - i/builtin: allow modem-manager interface to access some files in sysfs - snapstate: make "remove vulnerable version" message more friendly - tests: fix "undo purging" step in snap-run-devmode-classic - o/snapstate: deal with potentially invalid type of refresh.retain value due to lax validation - interfaces: custom-device - packaging/ubuntu-16.04/control: adjust libfuse3 dependency - data/env: fix fish env for all versions of fish - packaging/ubuntu-16.04/snapd.postinst: start socket and service first - interfaces/u2f-devices: add U2F-TOKEN - interfaces/seccomp: Add rseq to base seccomp template - tests: remove disabled snaps before calling save_snapd_state - overlord: skip manager tests on riscv for now - interfaces/opengl: add support for ARM Mali - devicestate: ensure permissions of /var/lib/snapd/void are correct - cmd/snap-update-ns: convert some unexpected decimal file mode constants to octal. - interfaces/shared-memory: support single wild-cards in the read/write paths - packaging: fix running autopkgtest - i/builtin/xilinx-dma-host: add interface for Xilinx DMA driver - tests: fix `tests/core/create-user` on testflinger pi3 - tests: fix parallel-install-basic on external UC16 devices - tests: re-enable kernel-module-load tests on arm - tests: do not run k8s smoke test on 32 bit systems- Release 2.54.3 to Fedora - Cherry pick SELinux policy fixes for RHBZ#1944390, RHBZ#2043160, RHBZ#2043161, RHBZ#2046358, RHBZ#2046363, RHBZ#2046361, RHBZ#2046364, RHBZ#2046365, RHBZ#2051594, RHBZ#2043902, RHBZ#1944390- New upstream release 2.54.3 - bugfixes- Release 2.54.2 to Fedora- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild- New upstream release 2.54.2 - tests: exclude interfaces-kernel-module load on arm - tests: ensure that test-snapd-kernel-module-load is removed - tests: do not test microk8s-smoke on arm - tests/core/failover: replace boot-state with snap debug boot-vars - tests: use snap info|awk to extract tracking channel - tests: fix remodel-kernel test when running on external devices - .github/workflows/test.yaml: also check internal snapd version for cleanliness - packaging/ubuntu-16.04/rules: eliminate seccomp modification - bootloader/assets/grub_*cfg_asset.go: update Copyright - build-aux/snap/snapcraft.yaml: adjust comment about get-version - .github/workflows/test.yaml: add check in github actions for dirty snapd snaps - build-aux/snap/snapcraft.yaml: use build-packages, don't fail dirty builds - data/selinux: allow poking /proc/xen- Release 2.54.1 to Fedora and EPEL - Fixes for RHBZ#2035664- New upstream release 2.54.1 - buid-aux: set version before calling ./generate-packaging-dir This fixes the "dirty" suffix in the auto-generated version- New upstream release 2.54 - interfaces/builtin/opengl.go: add boot_vga sys/devices file - o/configstate/configcore: add tmpfs.size option - tests: moving to manual opensuse 15.2 - cmd/snap-device-helper: bring back the device type identification behavior, but for remove action fallback only - cmd/snap-failure: use snapd from the snapd snap if core is not present - tests/core/failover: enable the test on core18 - o/devicestate: ensure proper order when remodel does a simple switch-snap-channel - builtin/interfaces: add shared memory interface - overlord: extend kernel/base success and failover with bootenv checks - o/snapstate: check disk space w/o store if possible - snap-bootstrap: Mount snaps read only - gadget/install: do not re-create partitions using OnDiskVolume after deletion - many: fix formatting w/ latest go version - devicestate,timeutil: improve logging of NTP sync - tests/main/security-device-cgroups-helper: more debugs - cmd/snap: print a placeholder for version of broken snaps - o/snapstate: mock system with classic confinement support - cmd: Fixup .clangd to use correct syntax - tests: run spread tests in fedora-35 - data/selinux: allow snapd to access /etc/modprobe.d - mount-control: step 2 - daemon: add multiple snap sideload to API - tests/lib/pkgdb: install dbus-user-session during prepare, drop dbus-x11 - systemd: provide more detailed errors for unimplemented method in emulation mode - tests: avoid checking TRUST_TEST_KEYS on restore on remodel-base test - tests: retry umounting /var/lib/snapd/seed on uc20 on fsck-on-boot test - o/snapstate: add hide/expose snap data to backend - interfaces: kernel-module-load - snap: add support for `snap watch --last={revert,enable,disable,switch}` - tests/main/security-udev-input-subsystem: drop info from udev - tests/core/kernel-and-base-single-reboot-failover, tests/lib/fakestore: verify failover scenario - tests/main/security-device-cgroups-helper: collect some debug info when the test fails - tests/nested/manual/core20-remodel: wait for device to have a serial before starting a remodel - tests/main/generic-unregister: test re-registration if not blocked - o/snapstate, assertsate: validation sets/undo on partial failure - tests: ensure snapd can be downloaded as a module - snapdtool, many: support additional key/value flags in info file - data/env: improve fish shell env setup - usersession/client: provide a way for client to send messages to a subset of users - tests: verify that simultaneous refresh of kernel and base triggers a single reboot only - devicestate: Unregister deletes the device key pair as well - daemon,tests: support forgetting device serial via API - asserts: change behavior of alternative attribute matcher - configcore: relax validation rules for hostname - cmd/snap-confine: do not include libglvnd libraries from the host system - overlord, tests: add managers and a spread test for UC20 to UC22 remodel - HACKING.md: adjust again for building the snapd snap - systemd: add support for systemd unit alias names - o/snapstate: add InstallPathMany - gadget: allow EnsureLayoutCompatibility to ensure disk has all laid out structsnow reject/fail: - packaging/ubuntu, packaging/debian: depend on dbus-session-bus provider (#11111) - interfaces/interfaces/scsi_generic: add interface for scsi generic de… (#10936) - osutil/disks/mockdisk.go: add MockDevicePathToDiskMapping - interfaces/microstack-support: set controlsDeviceCgroup to true - network-setup-control: add netplan generate D-Bus rules - interface/builtin/log_observe: allow to access /dev/kmsg - .github/workflows/test.yaml: restore failing of spread tests on errors (nested) - gadget: tweaks to DiskStructureDeviceTraits + expand test cases - tests/lib/nested.sh: allow tests to use their own core18 in extra- snaps-path - interfaces/browser-support: Update rules for Edge - o/devicestate: during remodel first check pending download tasks for snaps - polkit: add a package to validate polkit policy files - HACKING.md: document building the snapd snap and splicing it into the core snap - interfaces/udev: fix installing snaps inside lxd in 21.10 - o/snapstate: refactor disk space checks - tests: add (strict) microk8s smoke test - osutil/strace: try to enable strace on more arches - cmd/libsnap-confine-private: fix snap-device-helper device allow list modification on cgroup v2 - tests/main/snapd-reexec-snapd-snap: improve debugging - daemon: write formdata file parts to snaps dir - systemd: add support for .target units - tests: run snap-disconnect on uc16 - many: add experimental setting to allow using ~/.snap/data instead of ~/snap - overlord/snapstate: perform a single reboot when updating boot base and kernel - kernel/fde: add DeviceUnlockKernelHookDeviceMapperBackResolver, use w/ disks pkg - o/devicestate: introduce DeviceManager.Unregister - interfaces: allow receiving PropertiesChanged on the mpris plug - tests: new tool used to retrieve data from mongo db - daemon: amend ssh keys coming from the store - tests: Include the tools from snapd-testing-tools project in "$TESTSTOOLS" - tests: new workflow step used to report spread error to mongodb - interfaces/builtin/dsp: update proc files for ambarella flavor - gadget: replace ondisk implementation with disks package, refactor part calcs - tests: Revert "tests: disable flaky uc18 tests until systemd is fixed" - Revert: "many: Vendor apparmor-3.0.3 into the snapd snap" - asserts: rename "white box" to "clear box" (woke checker) - many: Vendor apparmor-3.0.3 into the snapd snap - tests: reorganize the debug-each on the spread.yaml - packaging: sync with downstream packaging in Fedora and openSUSE - tests: disable flaky uc18 tests until systemd is fixed - data/env: provide profile setup for fish shell - tests: use ubuntu-image 1.11 from stable channel - gadget/gadget.go: include disk schema in the disk device volume traits too - tests/main/security-device-cgroups-strict-enforced: extend the comments - README.md: point at bugs.launchpad.net/snapd instead of snappy project - osutil/disks: introduce RegisterDeviceMapperBackResolver + use for crypt-luks2 - packaging: make postrm script robust against `rm` failures - tests: print extra debug on auto-refresh-gating test failure - o/assertstate, api: move enforcing/monitoring from api to assertstate, save history - tests: skip the test-snapd-timedate-control-consumer.date to avoid NTP sync error - gadget/install: use disks functions to implement deviceFromRole, also rename - tests: the `lxd` test is failing right now on 21.10 - o/snapstate: account for deleted revs when undoing install - interfaces/builtin/block_devices: allow blkid to print block device attributes - gadget: include size + sector-size in DiskVolumeDeviceTraits - cmd/libsnap-confine-private: do not deny all devices when reusing the device cgroup - interfaces/builtin/time-control: allow pps access - o/snapstate/handlers: propagate read errors on "copy-snap-data" - osutil/disks: add more fields to Partition, populate them during discovery - interfaces/u2f-devices: add Trezor and Trezor v2 keys - interfaces: timezone-control, add permission for ListTimezones DBus call - o/snapstate: remove repeated test assertions - tests: skip `snap advise-command` test if the store is overloaded - cmd: create ~/snap dir with 0700 perms - interfaces/apparmor/template.go: allow udevadm from merged usr systems - github: leave a comment documenting reasons for pipefail - github: enable pipefail when running spread - osutil/disks: add DiskFromPartitionDeviceNode - gadget, many: add model param to Update() - cmd/snap-seccomp: add riscv64 support - o/snapstate: maintain a RevertStatus map in SnapState - tests: enable lxd tests on impish system - tests: (partially) revert the memory limits PR#r10241 - o/assertstate: functions for handling validation sets tracking history - tests: some improvements for the spread log parser - interfaces/network-manager-observe: Update for libnm / dart clients - tests: add ntp related debug around "auto-refresh" test - boot: expand on the fact that reseal taking modeenv is very intentional - cmd/snap-seccomp/syscalls: update syscalls to match libseccomp abad8a8f4 - data/selinux: update the policy to allow snapd to talk to org.freedesktop.timedate1 - o/snapstate: keep old revision if install doesn't add new one - overlord/state: add a unit test for a kernel+base refresh like sequence - desktop, usersession: observe notifications - osutil/disks: add AllPhysicalDisks() - timeutil,deviceutil: fix unit tests on systems without dbus or without ntp-sync - cmd/snap-bootstrap/README: explain all the things (well most of them anyways) - docs: add run-checks dependency install instruction - o/snapstate: do not prune refresh-candidates if gate-auto-refresh- hook feature is not enabled - o/snapstate: test relink remodel helpers do a proper subset of doInstall and rework the verify*Tasks helpers - tests/main/mount-ns: make the test run early - tests: add `--debug` to netplan apply - many: wait for up to 10min for NTP synchronization before autorefresh - tests: initialize CHANGE_ID in _wait_autorefresh - sandbox/cgroup: freeze and thaw cgroups related to services and scopes only - tests: add more debug around qemu-nbd - o/hookstate: print cohort with snapctl refresh --pending (#10985) - tests: misc robustness changes - o/snapstate: improve install/update tests (#10850) - tests: clean up test tools - spread.yaml: show `journalctl -e` for all suites on debug - tests: give interfaces-udisks2 more time for the loop device to appear - tests: set memory limit for snapd - tests: increase timeout/add debug around nbd0 mounting (up, see LP:#1949513) - snapstate: add debug message where a snap is mounted - tests: give nbd0 more time to show up in preseed-lxd - interfaces/dsp: add more ambarella things - cmd/snap: improve snap disconnect arg parsing and err msg - tests: disable nested lxd snapd testing - tests: disable flaky "interfaces-udisks2" on ubuntu-18.04-32 - o/snapstate: avoid validationSetsSuite repeating snapmgrTestSuite - sandbox/cgroup: wait for start transient unit job to finish - o/snapstate: fix task order, tweak errors, add unit tests for remodel helpers - osutil/disks: re-org methods for end of usable region, size information - build-aux: ensure that debian packaging matches build-base - docs: update HACKING.md instructions for snapd 2.52 and later - spread: run lxd tests with version from latest/edge - interfaces: suppress denial of sys_module capability - osutil/disks: add methods to replace gadget/ondisk functions - tests: split test tools - part 1 - tests: fix nested tests on uc20 - data/selinux: allow snap-confine to read udev's database - i/b/common_test: refactor AppArmor features test - tests: run spread tests on debian 11 - o/devicestate: copy timesyncd clock timestamp during install - interfaces/builtin: do not probe parser features when apparmor isn't available - interface/modem-manager: allow connecting to the mbim/qmi proxy - tests: fix error message in run-checks - tests: spread test for validation sets enforcing - cmd/snap-confine: lazy set up of device cgroup, only when devices were assigned - o/snapstate: deduplicate snap names in remove/install/update - tests/main/selinux-data-context: use session when performing actions as test user - packaging/opensuse: sync with openSUSE packaging, enable AppArmor on 15.3+ - interfaces: skip connection of netlink interface on older systems - asserts, o/snapstate: honor IgnoreValidation flag when checking installed snaps - tests/main/apparmor-batch-reload: fix fake apparmor_parser to handle --preprocess - sandbox/apparmor, interfaces/apparmor: detect bpf capability, generate snippet for s-c - release-tools/repack-debian-tarball.sh: fix c-vendor dir - tests: test for enforcing with prerequisites - tests/main/snapd-sigterm: fix race conditions - spread: run lxd tests with version from latest/stable - run-checks: remove --spread from help message - secboot: use latest secboot with tpm legacy platform and v2 fully optional - tests/lib/pkgdb: install strace on Debian 11 and Sid - tests: ensure systemd-timesyncd is installed on debian - interfaces/u2f-devices: add Nitrokey 3 - tests: update the ubuntu-image channel to candidate - osutil/disks/labels: simplify decoding algorithm - tests: not testing lxd snap anymore on i386 architecture - o/snapstate, hookstate: print remaining hold time on snapctl --hold - cmd/snap: support --ignore-validation with snap install client command - tests/snapd-sigterm: be more robust against service restart - tests: simplify mock script for apparmor_parser - o/devicestate, o/servicestate: update gadget assets and cmdline when remodeling - tests/nested/manual/refresh-revert-fundamentals: re-enable encryption - osutil/disks: fix bug in BlkIDEncodeLabel, add BlkIDDecodeLabel - gadget, osutil/disks: fix some bugs from prior PR'sin the dir. - secboot: revert move to new version (revert #10715) - cmd/snap-confine: die when snap process is outside of snap specific cgroup - many: mv MockDeviceNameDisksToPartitionMapping -> MockDeviceNameToDiskMapping - interfaces/builtin: Add '/com/canonical/dbusmenu' path access to 'unity7' interface - interfaces/builtin/hardware-observer: add /proc/bus/input/devices too - osutil/disks, many: switch to defining Partitions directly for MockDiskMapping - tests: remove extra-snaps-assertions test - interface/modem-manager: add accept for MBIM/QMI proxy clients - tests/nested/core/core20-create-recovery: fix passing of data to curl - daemon: allow enabling enforce mode - daemon: use the syscall connection to get the socket credentials - i/builtin/kubernetes_support: add access to Calico lock file - osutil: ensure parent dir is opened and sync'd - tests: using test-snapd-curl snap instead of http snap - overlord: add managers unit test demonstrating cyclic dependency between gadget and kernel updates - gadget/ondisk.go: include the filesystem UUID in the returned OnDiskVolume - packaging: fixes for building on openSUSE - o/configcore: allow hostnames up to 253 characters, with dot- delimited elements - gadget/ondisk.go: add listBlockDevices() to get all block devices on a system - gadget: add mapping trait types + functions to save/load - interfaces: add polkit security backend - cmd/snap-confine/snap-confine.apparmor.in: update ld rule for s390x impish - tests: merge coverage results - tests: remove "features" from fde-setup.go example - fde: add new device-setup support to fde-setup - gadget: add `encryptedDevice` and add encryptedDeviceLUKS - spread: use `bios: uefi` for uc20 - client: fail fast on non-retryable errors - tests: support running all spread tests with experimental features - tests: check that a snap that doesn't have gate-auto-refresh hook can call --proceed - o/snapstate: support ignore-validation flag when updating to a specific snap revision - o/snapstate: test prereq update if started by old version - tests/main: disable cgroup-devices-v1 and freezer tests on 21.10 - tests/main/interfaces-many: run both variants on all possible Ubuntu systems - gadget: mv ensureLayoutCompatibility to gadget proper, add gadgettest pkg - many: replace state.State restart support with overlord/restart - overlord: fix generated snap-revision assertions in remodel unit tests- Release 2.53.4 to Fedora - Cherry pick for nvidia glvnd incompatibility- New upstream release 2.53.4 - devicestate: mock devicestate.MockTimeutilIsNTPSynchronized to avoid host env leaking into tests - timeutil: return NoTimedate1Error if it can't connect to the system bus- New upstream release 2.53.3 - devicestate: Unregister deletes the device key pair as well - daemon,tests: support forgetting device serial via API - configcore: relax validation rules for hostname - o/devicestate: introduce DeviceManager.Unregister - packaging/ubuntu, packaging/debian: depend on dbus-session-bus provider - many: wait for up to 10min for NTP synchronization before autorefresh - interfaces/interfaces/scsi_generic: add interface for scsi generic devices - interfaces/microstack-support: set controlsDeviceCgroup to true - interface/builtin/log_observe: allow to access /dev/kmsg - daemon: write formdata file parts to snaps dir - spread: run lxd tests with version from latest/edge - cmd/libsnap-confine-private: fix snap-device-helper device allow list modification on cgroup v2 - interfaces/builtin/dsp: add proc files for monitoring Ambarella DSP firmware - interfaces/builtin/dsp: update proc file accordingly- Cherry-pick a fix for snap-device-helper (RHBZ#2025264)- Release 2.53.2 to Fedora- New upstream release 2.53.2 - interfaces/builtin/block_devices: allow blkid to print block device attributes/run/udev/data/b{major}:{minor} - cmd/libsnap-confine-private: do not deny all devices when reusing the device cgroup - interfaces/builtin/time-control: allow pps access - interfaces/u2f-devices: add Trezor and Trezor v2 keys - interfaces: timezone-control, add permission for ListTimezones DBus call - interfaces/apparmor/template.go: allow udevadm from merged usr systems - interface/modem-manager: allow connecting to the mbim/qmi proxy - interfaces/network-manager-observe: Update for libnm client library - cmd/snap-seccomp/syscalls: update syscalls to match libseccomp abad8a8f4 - sandbox/cgroup: freeze and thaw cgroups related to services and scopes only - o/hookstate: print cohort with snapctl refresh --pending - cmd/snap-confine: lazy set up of device cgroup, only when devices were assigned - tests: ensure systemd-timesyncd is installed on debian - tests/lib/pkgdb: install strace on Debian 11 and Sid - tests/main/snapd-sigterm: flush, use retry - tests/main/snapd-sigterm: fix race conditions - release-tools/repack-debian-tarball.sh: fix c-vendor dir - data/selinux: allow snap-confine to read udev's database - interfaces/dsp: add more ambarella things* interfaces/dsp: add more ambarella things- Disable BPF support on systems that are too old- Release 2.53.1 to Fedora- New upstream release 2.53.1 - spread: run lxd tests with version from latest/stable - secboot: use latest secboot with tpm legacy platform and v2 fully optional (#10946) - cmd/snap-confine: die when snap process is outside of snap specific cgroup (2.53) - interfaces/u2f-devices: add Nitrokey 3 - Update the ubuntu-image channel to candidate - Allow hostnames up to 253 characters, with dot-delimited elements (as suggested by man 7 hostname). - Disable i386 until it is possible to build snapd using lxd - o/snapstate, hookstate: print remaining hold time on snapctl --hold - tests/snapd-sigterm: be more robust against service restart - tests: add a regression test for snapd hanging on SIGTERM - daemon: use the syscall connection to get the socket credentials - interfaces/builtin/hardware-observer: add /proc/bus/input/devices too - cmd/snap-confine/snap-confine.apparmor.in: update ld rule for s390x impish - interface/modem-manager: add accept for MBIM/QMI proxy clients - secboot: revert move to new version- New upstream release 2.53 - overlord: fix generated snap-revision assertions in remodel unit tests - snap-bootstrap: wait in `mountNonDataPartitionMatchingKernelDisk` - interfaces/modem-manager: add access to PCIe modems - overlord/devicestate: record recovery capable system on a successful remodel - o/snapstate: use device ctx in prerequisite install/update - osutil/disks: support filtering by mount opts in MountPointsForPartitionRoot - many: support an API flag system-restart-immediate to make snap ops proceed immediately with system restarts - osutil/disks: add RootMountPointsForPartition - overlord/devicestate, tests: enable UC20 remodel, add spread tests - cmd/snap: improve snap run help message - o/snapstate: support ignore validation flag on install/update - osutil/disks: add Disk.FindMatchingPartitionWith{Fs,Part}Label - desktop: implement gtk notification backend and provide minimal notification api - tests: use the latest cpu family for nested tests execution - osutil/disks: add Partition struct and Disks.Partitions() - o/snapstate: prevent install hang if prereq install fails - osutil/disks: add Disk.KernelDevice{Node,Path} methods - disks: add `Size(path)` helper - tests: reset some mount units failing on ubuntu impish - osutil/disks: add DiskFromDevicePath, other misc changes - interfaces/apparmor: do not fail during initialization when there is no AppArmor profile for snap-confine - daemon: implement access checkers for themes API - interfaces/seccomp: add clone3 to default template - interfaces/u2f-devices: add GoTrust Idem Key - o/snapstate: validation sets enforcing on update - o/ifacestate: don't fail remove if disconnect hook fails - tests: fix error trying to create the extra-snaps dir which already exists - devicestate: use EncryptionType - cmd/libsnap-confine-private: workaround BPF memory accounting, update apparmor profile - tests: skip system-usernames-microk8s when TRUST_TEST_KEYS is false - interfaces/dsp: add a usb rule to the ambarella flavor - interfaces/apparmor/template.go: allow inspection of dbus mediation level - tests/main/security-device-cgroups: fix when both variants run on the same host - cmd/snap-confine: update s-c apparmor profile to allow versioned ld.so - many: rename systemd.Kind to Backend for a bit more clarity - cmd/libsnap-confine-private: fix set but unused variable in the unit tests - tests: fix netplan test on i386 architecture - tests: fix lxd-mount-units test which is based on core20 in ubuntu focal system - osutil/disks: add new `CreateLinearMapperDevice` helper - cmd/snap: wait while inhibition file is present - tests: cleanup the job workspace as first step of the actions workflow - tests: use our own image for ubuntu impish - o/snapstate: update default provider if missing required content - o/assertstate, api: update validation set assertions only when updating all snaps - fde: add HasDeviceUnlock() helper - secboot: move to new version - o/ifacestate: don't lose connections if snaps are broken - spread: display information about current device cgroup in debug dump - sysconfig: set TMPDIR in tests to avoid cluttering the real /tmp - tests, interfaces/builtin: introduce 21.10 cgroupv2 variant, tweak tests for cgroupv2, update builtin interfaces - sysconfig/cloud-init: filter MAAS c-i config from ubuntu-seed on grade signed - usersession/client: refactor doMany() method - interfaces/builtin/opengl.go: add libOpenGL.so* too - o/assertstate: check installed snaps when refreshing validation set assertions - osutil: helper for injecting run time faults in snapd - tests: update test nested tool part 2 - libsnap-confine: use the pid parameter - gadget/gadget.go: LaidOutSystemVolumeFromGadget -> LaidOutVolumesFromGadget - tests: update the time tolerance to fix the snapd-state test - .github/workflows/test.yaml: revert #10809 - tests: rename interfaces-hooks-misbehaving spread test to install- hook-misbehaving - data/selinux: update the policy to allow s-c to manipulate BPF map and programs - overlord/devicestate: make settle wait longer in remodel tests - kernel/fde: mock systemd-run in unit test - o/ifacestate: do not create stray task in batchConnectTasks if there are no connections - gadget: add VolumeName to Volume and VolumeStructure - cmd/libsnap-confine-private: use root when necessary for BPF related operations - .github/workflows/test.yaml: bump action-build to 1.0.9 - o/snapstate: enforce validation sets/enforce on InstallMany - asserts, snapstate: return full validation set keys from CheckPresenceRequired and CheckPresenceInvalid - cmd/snap: only log translation warnings in debug/testing - tests/main/preseed: update for new base snap of the lxd snap - tests/nested/manual: use loop for checking for initialize-system task done - tests: add a local snap variant to testing prepare-image gating support - tests/main/security-device-cgroups-strict-enforced: demonstrate device cgroup being enforced - store: one more tweak for the test action timeout - github: do not fail when codecov upload fails - o/devicestate: fix flaky test remodel clash - o/snapstate: add ChangeID to conflict error - tests: fix regex of TestSnapActionTimeout test - tests: fix tests for 21.10 - tests: add test for store.SnapAction() request timeout - tests: print user sessions info on debug-each - packaging: backports of golang-go 1.13 are good enough - sysconfig/cloudinit: add cloudDatasourcesInUseForDir - cmd: build gdb shims as static binaries - packaging/ubuntu: pass GO111MODULE to dh_auto_test - cmd/libsnap-confine-private, tests, sandbox: remove warnings about cgroup v2, drop forced devmode - tests: increase memory quota in quota-groups-systemd-accounting - tests: be more robust against a new day stepping in - usersession/xdgopenproxy: move PortalLauncher class to own package - interfaces/builtin: fix microstack unit tests on distros using /usr/libexec - cmd/snap-confine: handle CURRENT_TAGS on systems that support it - cmd/libsnap-confine-private: device cgroup v2 support - o/servicestate: Update task summary for restart action - packaging, tests/lib/prepare-restore: build packages without network access, fix building debs with go modules - systemd: add AtLeast() method, add mocking in systemdtest - systemd: use text.template to generate mount unit - o/hookstate/ctlcmd: Implement snapctl refresh --show-lock command - o/snapstate: optimize conflicts around snaps stored on conditional-auto-refresh task - tests/lib/prepare.sh: download core20 for UC20 runs via BASE_CHANNEL - mount-control: step 1 - go: update go.mod dependencies - o/snapstate: enforce validation sets on snap install - tests: revert revert manual lxd removal - tests: pre-cache snaps in classic and core systems - tests/lib/nested.sh: split out additional helper for adding files to VM imgs - tests: update nested tool - part1 - image/image_linux.go: add newline - interfaces/block-devices: support to access the state of block devices - o/hookstate: require snap-refresh-control interface for snapctl refresh --proceed - build-aux: stage libgcc1 library into snapd snap - configcore: add read-only netplan support - tests: fix fakedevicesvc service already exists - tests: fix interfaces-libvirt test - tests: remove travis leftovers - spread: bump delta ref to 2.52 - packaging: ship the `snapd.apparmor.service` unit in debian - packaging: remove duplicated `golang-go` build-dependency - boot: record recovery capable systems in recovery bootenv - tests: skip overlord tests on riscv64 due to timeouts. - overlord/ifacestate: fix arguments in unit tests - ifacestate: undo repository connection if doConnect fails - many: remove unused parameters - tests: failure of prereqs on content interface doesn't prevent install - tests/nested/manual/refresh-revert-fundamentals: fix variable use - strutil: add Intersection() - o/ifacestate: special-case system-files and force refreshing its static attributes - interface/builtin: add qualcomm-ipc-router interface for AF_QIPCRTR socket protocol - tests: new snapd-state tool - codecov: fix files pathnames - systemd: add mock systemd helper - tests/nested/core/extra-snaps-assertions: fix the match pattern - image,c/snap,tests: support enforcing validations in prepare-image via --customize JSON validation enforce(|ignore) - o/snapstate: enforce validation sets assertions when removing snaps - many: update deps - interfaces/network-control: additional ethernet rule - tests: use host-scaled settle timeout for hookstate tests - many: move to go modules - interfaces: no need for snapRefreshControlInterface struct - interfaces: introduce snap-refresh-control interface - tests: move interfaces-libvirt test back to 16.04 - tests: bump the number of retries when waiting for /dev/nbd0p1 - tests: add more space on ubuntu xenial - spread: add 21.10 to qemu, remove 20.10 (EOL) - packaging: add libfuse3-dev build dependency - interfaces: add microstack-support interface - wrappers: fix a bunch of duplicated service definitions in tests - tests: use host-scaled timeout to avoid riscv64 test failure - many: fix run-checks gofmt check - tests: spread test for snapctl refresh --pending/--proceed from the snap - o/assertstate,daemon: refresh validation sets assertions with snap declarations - tests: migrate tests that are only executed on xenial to bionic - tests: remove opensuse-15.1 and add opensuse-15.3 from spread runs - packaging: update master changelog for 2.51.7 - sysconfig/cloudinit: fix bug around error state of cloud-init - interfaces, o/snapstate: introduce AffectsPlugOnRefresh flag - interfaces/interfaces/ion-memory-control: add: add interface for ion buf - interfaces/dsp: add /dev/ambad into dsp interface - tests: new spread log parser - tests: check files and dirs are cleaned for each test - o/hookstate/ctlcmd: unify the error message when context is missing - o/hookstate: support snapctl refresh --pending from snap - many: remove unused/dead code - cmd/libsnap-confine-private: add BPF support helpers - interfaces/hardware-observe: add some dmi properties - snapstate: abort kernel refresh if no gadget update can be found - many: shellcheck fixes - cmd/snap: add Size column to refresh --list - packaging: build without dwarf debugging data - snapstate: fix misleading `assumes` error message - tests: fix restore in snapfuse spread tests - o/assertstate: fix missing 'scheduled' header when auto refreshing assertions - o/snapstate: fail remove with invalid snap names - o/hookstate/ctlcmd: correct err message if missing root - .github/workflows/test.yaml: fix logic - o/snapstate: don't hold some snaps if not all snaps can be held by the given gating snap - c-vendor.c: new c-vendor subdir - store: make sure expectedZeroFields in tests gets updated - overlord: add manager test for "assumes" checking - store: deal correctly with "assumes" from the store raw yaml - sysconfig/cloudinit.go: add functions for filtering cloud-init config - cgroup-support: allow to hide cgroupv2 warning via ENV - gadget: Export mkfs functions for use in ubuntu-image - tests: set to 10 minutes the kill timeout for tests failing on slow boards - .github/workflows/test.yaml: test github.events key - i18n/xgettext-go: preserve already escaped quotes - cmd/snap-seccomp/syscalls: update syscalls list to libseccomp v2.2.0-428-g5c22d4b - github: do not try to upload coverage when working with cached run - tests/main/services-install-hook-can-run-svcs: shellcheck issue fix - interfaces/u2f-devices: add Nitrokey FIDO2 - testutil: add DeepUnsortedMatches Checker - cmd, packaging: import BPF headers from kernel, detect whether host headers are usable - tests: fix services-refresh-mode test - tests: clean snaps.sh helper - tests: fix timing issue on security-dev-input-event-denied test - tests: update systems for sru validation - .github/workflows: add codedov again - secboot: remove duplicate import - tests: stop the service when is active in test interfaces- firewall-control test - packaging: remove TEST_GITHUB_AUTOPKGTEST support - packaging: merge 2.51.6 changelog back to master - secboot: use half the mem for KDF in AddRecoveryKey - secboot: switch main key KDF memory cost to 32KB - tests: remove the test user just when it was installed on create- user-2 test - spread: temporarily fix the ownership of /home/ubuntu/.ssh on 21.10 - daemon, o/snapstate: handle IgnoreValidation flag on install (2/3) - usersession/agent: refactor common JSON validation into own function - o/hookstate: allow snapctl refresh --proceed from snaps - cmd/libsnap-confine-private: fix issues identified by coverity - cmd/snap: print logs in local timezone - packaging: changelog for 2.51.5 to master - build-aux: build with go-1.13 in the snapcraft build too - config: rename "virtual" config to "external" config - devicestate: add `snap debug timings --ensure=install-system` - interfaces/builtin/raw_usb: fix platform typo, fix access to usb devices accessible through platform - o/snapstate: remove commented out code - cmd/snap-device-helper: reimplement snap-device-helper - cmd/libsnap-confine-private: fix coverity issues in tests, tweak uses of g_assert() - o/devicestate/handlers_install.go: add workaround to create dirs for install - o/assertstate: implement ValidationSetAssertionForEnforce helper - clang-format: stop breaking my includes - o/snapstate: allow auto-refresh limited to snaps affected by a specific gating snap - tests: fix core-early-config test to use tests.nested tool - sysconfig/cloudinit.go: measure (but don't use) gadget cloud-init datasource - c/snap,o/hookstate/ctlcmd: add JSON/string strict processing flags to snap/snapctl - corecfg: add "system.hostname" setting to the system settings - wrappers: measure time to enable services in StartServices() - configcore: fix early config timezone handling - tests/nested/manual: enable serial assertions on testkeys nested VM's - configcore: fix a bunch of incorrect error returns - .github/workflows/test.yaml: use snapcraft 4.x to build the snapd snap - packaging: merge 2.51.4 changelog back to master - {device,snap}state: skip kernel extraction in seeding - vendor: move to snapshot-4c814e1 branch and set fixed KDF options - tests: use bigger storage on ubuntu 21.10 - snap: support links map in snap.yaml (and later from the store API) - o/snapstate: add AffectedByRefreshCandidates helper - configcore: register virtual config for timezone reading - cmd/libsnap-confine-private: move device cgroup files, add helper to deny a device - tests: fix cached-results condition in github actions workflow - interfaces/tee: add support for Qualcomm qseecom device node - packaging: fix build failure on bionic and simplify rules - o/snapstate: affectedByRefresh tweaks - tests: update nested wait for snapd command - interfaces/builtin: allow access to per-user GTK CSS overrides - tests/main/snapd-snap: install 4.x snapcraft to build the snapd snap - snap/squashfs: handle squashfs-tools 4.5+ - asserts/snapasserts: CheckPresenceInvalid and CheckPresenceRequired methods - cmd/snap-confine: refactor device cgroup handling to enable easier v2 integration - tests: skip udp protocol on latest ubuntus - cmd/libsnap-confine-private: g_spawn_check_exit_status is deprecated since glib 2.69 - interfaces: s/specifc/specific/ - github: enable gofmt for Go 1.13 jobs - overlord/devicestate: UC20 specific set-model, managers tests - o/devicestate, sysconfig: refactor cloud-init config permission handling - config: add "virtual" config via config.RegisterVirtualConfig - packaging: switch ubuntu to use golang-1.13 - snap: change `snap login --help` to not mention "buy" - tests: removing Ubuntu 20.10, adding 21.04 nested in spread - tests/many: remove lxd systemd unit to prevent unexpected leftovers - tests/main/services-install-hook-can-run-svcs: make variants more obvious - tests: force snapd-session-agent.socket to be re-generated- New upstream release 2.52.1 - snap-bootstrap: wait in `mountNonDataPartitionMatchingKernelDisk` for the disk (if not present already) - many: support an API flag system-restart-immediate to make snap ops proceed immediately with system restarts - cmd/libsnap-confine-private: g_spawn_check_exit_status is deprecated since glib 2.69 - interfaces/seccomp: add clone3 to default template - interfaces/apparmor/template.go: allow inspection of dbus mediation level - interfaces/dsp: add a usb rule to the ambarella flavor - cmd/snap-confine: update s-c apparmor profile to allow versioned ld.so - o/ifacestate: don't lose connections if snaps are broken - interfaces/builtin/opengl.go: add libOpenGL.so* too - interfaces/hardware-observe: add some dmi properties - build-aux: stage libgcc1 library into snapd snap - interfaces/block-devices: support to access the state of block devices - packaging: ship the `snapd.apparmor.service` unit in debian- Update to 2.52 - Drop squashfs 4.5+ patch as it's part of 2.52 release - Cherry pick clone3 seccom patch (RHBZ#2008737)- New upstream release 2.52 - interface/builtin: add qualcomm-ipc-router interface for AF_QIPCRTR socket protocol - o/ifacestate: special-case system-files and force refreshing its static attributes - interfaces/network-control: additional ethernet rule - packaging: update 2.52 changelog with 2.51.7 - interfaces/interfaces/ion-memory-control: add: add interface for ion buf - packaging: merge 2.51.6 changelog back to 2.52 - secboot: use half the mem for KDF in AddRecoveryKey - secboot: switch main key KDF memory cost to 32KB - many: merge release/2.51 change to release/2.52 - .github/workflows/test.yaml: use snapcraft 4.x to build the snapd snap - o/servicestate: use snap app names for ExplicitServices of ServiceAction - tests/main/services-install-hook-can-run-svcs: add variant w/o --enable - o/servicestate: revert only start enabled services - tests: adding Ubuntu 21.10 to spread test suite - interface/modem-manager: add support for MBIM/QMI proxy clients - cmd/snap/model: support storage-safety and snaps headers too - o/assertstate: Implement EnforcedValidationSets helper - tests: using retry tool for nested tests - gadget: check for system-save with multi volumes if encrypting correctly - interfaces: make the service naming entirely internal to systemd BE - tests/lib/reset.sh: fix removing disabled snaps - store/store_download.go: use system snap provided xdelta3 priority + fallback - packaging: merge changelog from 2.51.3 back to master - overlord: only start enabled services - interfaces/builtin: add sd-control interface - tests/nested/cloud-init-{never-used,nocloud}-not-vuln: fix tests, use 2.45 - tests/lib/reset.sh: add workaround from refresh-vs-services tests for all tests - o/assertstate: check for conflicts when refreshing and committing validation set asserts - devicestate: add support to save timings from install mode - tests: new tests.nested commands copy and wait-for - install: add a bunch of nested timings - tests: drop any-python wrapper - store: set ResponseHeaderTimeout on the default transport - tests: fix test-snapd-user-service-sockets test removing snap - tests: moving nested_exec to nested.tests exec - tests: add tests about services vs snapd refreshes - client, cmd/snap, daemon: refactor REST API for quotas to match CLI org - c/snap,asserts: create/delete-key external keypair manager interaction - tests: revert disable of the delta download tests - tests/main/system-usernames-microk8s: disable on centos 7 too - boot: support device change - o/snapstate: remove unused refreshSchedule argument for isRefreshHeld helper - daemon/api_quotas.go: handle conflicts, returning conflict response - tests: test for gate-auto-refresh hook error resulting in hold - release: 2.51.2 - snapstate/check_snap: add snap_microk8s to shared system- usernames - snapstate: remove temporary snap file for local revisions early - interface: allows reading sd cards internal info from block- devices interface - tests: Renaming tool nested-state to tests.nested - testutil: fix typo in json checker unit tests - tests: ack assertions by default, add --noack option - overlord/devicestate: try to pick alternative recovery labels during remodel - bootloader/assets: update recovery grub to allow system labels generated by snapd - tests: print serial log just once for nested tests - tests: remove xenial 32 bits - sandbox/cgroup: do not be so eager to fail when paths do not exist - tests: run spread tests in ubuntu bionic 32bits - c/snap,asserts: start supporting ExternalKeypairManager in the snap key-related commands - tests: refresh control spread test - cmd/libsnap-confine-private: do not fail on ENOENT, better getline error handling - tests: disable delta download tests for now until the store is fixed - tests/nested/manual/preseed: fix for cloud images that ship without core18 - boot: properly handle tried system model - tests/lib/store.sh: revert #10470 - boot, seed/seedtest: tweak test helpers - o/servicestate: TODO and fix preexisting typo - o/servicestate: detect conflicts for quota group operations - cmd/snap/quotas: adjust help texts for quota commands - many/quotas: little adjustments - tests: add spread test for classic snaps content slots - o/snapstate: fix check-rerefresh task summary when refresh control is used - many: use changes + tasks for quota group operations - tests: fix test snap-quota-groups when checking file cgroupProcsFile - asserts: introduce ExternalKeypairManager - o/ifacestate: do not visit same halt tasks in waitChainSearch to avoid cycles - tests/lib/store.sh: fix make_snap_installable_with_id() - overlord/devicestate, overlord/assertstate: use a temporary DB when creating recovery systems - corecfg: allow using `# snapd-edit: no` header to disable pi- config# snapd-edit: no - tests/main/interfaces-ssh-keys: tweak checks for openSUSE Tumbleweed - cmd/snap: prevent cycles in waitChainSearch with snap debug state - o/snapstate: fix populating of affectedSnapInfo.AffectingSnaps for marking self as affecting - tests: new parameter used by retry tool to set env vars - tests: support parameters for match-log on journal-state tool - configcore: ignore system.pi-config.* setting on measured kernels - sandbox/cgroup: support freezing groups with unified hierarchy - tests: fix preseed test to used core20 snap on latest systems - testutil: introduce a checker which compares the type after having passed them through a JSON marshaller - store: tweak error message when store.Sections() download fails - o/servicestate: stop setting DoneStatus prematurely for quota- control - cmd/libsnap-confine-private: bump max depth of groups hierarchy to 32 - many: turn Contact into an accessor - store: make the log with download size a debug one - cmd/snap-update-ns: Revert "cmd/snap-update-ns: add SRCDIR to include search path" - o/devicestate: move SystemMode method before first usage - tests: skip tests when the sections cannot be retrieved - boot: support resealing with a try model - o/hookstate: dedicated handler for gate-auto-refresh hook - tests: make sure the /root/snap dir is backed up on test snap- user-dir-perms-fixed - cmd/snap-confine: make mount ns use check cgroup v2 compatible - snap: fix TestInstallNoPATH unit test failure when SUDO_UID is set - cmd/libsnap-confine-private/cgroup-support.c: Fix typo - cmd/snap-confine, cmd/snapd-generator: fix issues identified by sparse - o/snapstate: make conditional-auto-refresh conflict with other tasks via affected snaps - many: pass device/model info to configcore via sysconfig.Device interface - o/hookstate: return bool flag from Error function of hook handler to ignore hook errors - cmd/snap-update-ns: add SRCDIR to include search path - tests: fix for tests/main/lxd-mount-units test and enable ubuntu-21.04 - overlord, o/devicestate: use a single test helper for resetting to a post boot state - HACKING.md: update instructions for go1.16+ - tests: fix restore for security-dev-input-event-denied test - o/servicestate: move SetStatus to doQuotaControl - tests: fix classic-prepare-image test - o/snapstate: prune gating information and refresh-candidates on snap removal - o/svcstate/svcstatetest, daemon/api_quotas: fix some tests, add mock helper - cmd: a bunch of tweaks and updates - o/servicestate: refactor meter handling, eliminate some common parameters - o/hookstate/ctlcmd: allow snapctl refresh --pending --proceed syntax. - o/snapstate: prune refresh candidates in check-rerefresh - osutil: pass --extrausers option to groupdel - o/snapstate: remove refreshed snap from snaps-hold in snapstate.doInstall - tests/nested: add spread test for uc20 cloud.conf from gadgets - boot: drop model from resealing and boostate - o/servicestate, snap/quota: eliminate workaround for buggy systemds, add spread test - o/servicestate: introduce internal and servicestatetest - o/servicestate/quota_control.go: enforce minimum of 4K for quota groups - overlord/servicestate: avoid unnecessary computation of disabled services - o/hookstate/ctlcmd: do not call ProceedWithRefresh immediately from snapctl - o/snapstate: prune hold state during autoRefreshPhase1 - wrappers/services.go: do not restart disabled or inactive services - sysconfig/cloudinit.go: allow installing both gadget + ubuntu-seed config - spread: switch LXD back to latest/candidate channel - interfaces/opengl: add support for Imagination PowerVR - boot: decouple model from seal/reseal handling via an auxiliary type - spread, tests/main/lxd: no longer manual, switch to latest/stable - github: try out golangci-lint - tests: set lxd test to manual until failures are fixed - tests: connect 30% of the interfaces on test interfaces-many-core- provided - packaging/debian-sid: update snap-seccomp patches for latest master - many: fix imports order (according to gci) - o/snapstate: consider held snaps in autoRefreshPhase2 - o/snapstate: unlock the state before calling backend in undoStartSnapServices - tests: replace "not MATCH" by NOMATCH in tests - README.md: refer to new IRC server - cmd/snap-preseed: provide more error info if snap-preseed fails early on mount - daemon: add a Daemon argument to AccessChecker.CheckAccess - c/snap-bootstrap: add bind option with tests - interfaces/builtin/netlink_driver_test.go: add test snippet - overlord/devicestate: set up recovery system tasks when attempting a remodel - osutil,strutil,testutil: fix imports order (according to gci) - release: merge 2.51.1 changelog - cmd: fix imports order (according to gci) - tests/lib/snaps/test-snapd-policy-app-consumer: remove dsp-control interface - o/servicestate: move handlers tests to quota_handlers_test.go file instead - interfaces: add netlink-driver interface - interfaces: remove leftover debug print - systemd: refactor property parsers for int values in CurrentTasksCount, etc. - tests: fix debug section for postrm-purge test - tests/many: change all cloud-init passwords for ubuntu to use plain_test_passwd - asserts,interfaces,snap: fix imports order (according to gci) - o/servicestate/quota_control_test.go: test the handlers directly - tests: fix issue when checking the udev tag on test security- device-cgroups - many: introduce Store.SnapExists and use it in /v2/accessories/themes - o/snapstate: update LastRefreshTime in doLinkSnap handler - o/hookstate: handle snapctl refresh --proceed and --hold - boot: fix model inconsistency check in modeenv, extend unit tests - overlord/servicestate: improve test robustness with locking - tests: first part of the cleanup - tests: new note in HACKING file to clarify about yamlordereddictloader dependency - daemon: make CheckAccess return an apiError - overlord: fix imports ordering (according to gci) - o/servicestate: add quotastate handlers - boot: track model's sign key ID, prepare infra for tracking candidate model - daemon: have apiBaseSuite.errorReq return *apiError directly - o/servicestate/service_control.go: add comment about ExplicitServices - interfaces: builtin: add dm-crypt interface to support external storage encryption - daemon: split out error response code from response*.go to errors*.go - interfaces/dsp: fix typo in udev rule - daemon,o/devicestate: have DeviceManager.SystemMode take an expectation on the system - o/snapstate: add helpers for setting and querying holding time for snaps - many: fix quota groups for centos 7, amazon linux 2 w/ workaround for buggy systemd - overlord/servicestate: mv ensureSnapServicesForGroup to new file - overlord/snapstate: lock the mutex before returning from stop snap services undo - daemon: drop resp completely in favor of using respJSON consistently - overlord/devicestate: support for snap downloads in recovery system handlers - daemon: introduce a separate findResponse, simplify SyncRespone and drop Meta - overlord/snapstate, overlord/devicestate: exclusive change conflict check - wrappers, packaging, snap-mgmt: handle removing slices on purge too - services: remember if acting on the entire snap - store: extend context and action objects of SnapAction with validation-sets - o/snapstate: refresh control - autorefresh phase2 - cmd/snap/quota: refactor quota CLI as per new design - interfaces: opengl: change path for Xilinx zocl driver - tests: update spread images for ubuntu-core-20 and ubuntu-21.04 - o/servicestate/quota_control_test.go: change helper escaping - o/configstate/configcore: support snap set system swap.size=... - o/devicestate: require serial assertion before remodeling can be started - systemd: improve systemctl error reporting - tests/core/remodel: use model assertions signed with valid keys - daemon: use apiError for more of the code - store: fix typo in snapActionResult struct json tag - userd: mock `systemd --version` in privilegedDesktopLauncherSuite - packaging/fedora: sync with downstream packaging - daemon/api_quotas.go: include current memory usage information in results - daemon: introduce StructuredResponse and apiError - o/patch: check if we have snapd snap with correct snap type already in snapstate - tests/main/snapd-snap: build the snapd snap on all platforms with lxd - tests: new commands for snaps-state tool - tests/main/snap-quota-groups: add functional spread test for quota groups - interfaces/dsp: add /dev/cavalry into dsp interface - cmd/snap/cmd_info_test.go: make test robust against TZ changes - tests: moving to tests directories snaps built locally - part 2 - usersession/userd: fix unit tests on systems using /var/lib/snapd - sandbox/cgroup: wait for pid to be moved to the desired cgroup - tests: fix snap-user-dir-perms-fixed vs format checks - interfaces/desktop-launch: support confined snaps launching other snaps - features: enable dbus-activation by default - usersession/autostart: change ~/snap perms to 0700 on startup - cmd/snap-bootstrap/initramfs-mounts: mount ubuntu-data nosuid - tests: new test static checker - release-tool/changelog.py: misc fixes from real world usage - release-tools/changelog.py: add function to generate github release template - spread, tests: Fedora 32 is EOL, drop it - o/snapstate: bump max postponement from 60 to 95 days - interfaces/apparmor: limit the number of jobs when running with a single CPU - packaging/fedora/snapd.spec: correct date format in changelog - packaging: merge 2.51 changelog back to master - packaging/ubuntu-16.04/changelog: add 2.50 and 2.50.1 changelogs, placeholder for 2.51 - interfaces: allow read access to /proc/tty/drivers to modem- manager and ppp/dev/tty- New upstream release 2.51.7 (RHBZ#1972558) - Include an upstream fix for squashfs 4.5+ compatibility (RHBZ#1999998)- New upstream release 2.51.7 - cmd/snap-seccomp/syscalls: update syscalls list to libseccomp v2.2.0-428-g5c22d4b1 - tests: cherry-pick shellcheck fix `bd730fd4` - interfaces/dsp: add /dev/ambad into dsp interface - many: shellcheck fixes - snapstate: abort kernel refresh if no gadget update can be found - overlord: add manager test for "assumes" checking - store: deal correctly with "assumes" from the store raw yaml- New upstream release 2.51.6 - secboot: use half the mem for KDF in AddRecoveryKey - secboot: switch main key KDF memory cost to 32KB- New upstream release 2.51.5 - snap/squashfs: handle squashfs-tools 4.5+ - tests/core20-install-device-file-install-via-hook-hack: adjust test for 2.51 - o/devicestate/handlers_install.go: add workaround to create dirs for install - tests: fix linter warning - tests: update other spread tests for new behaviour - tests: ack assertions by default, add --noack option - release-tools/changelog.py: also fix opensuse changelog date format - release-tools/changelog.py: fix typo in function name - release-tools/changelog.py: fix fedora date format - release-tools/changelog.py: handle case where we don't have a TZ - release-tools/changelog.py: fix line length check - release-tools/changelog.py: specify the LP bug for the release as an arg too - interface/modem-manager: add support for MBIM/QMI proxy clients - .github/workflows/test.yaml: use snapcraft 4.x to build the snapd snap- New upstream release 2.51.4 - {device,snap}state: skip kernel extraction in seeding - vendor: move to snapshot-4c814e1 branch and set fixed KDF options - tests/interfaces/tee: fix HasLen check for udev snippets - interfaces/tee: add support for Qualcomm qseecom device node - gadget: check for system-save with multi volumes if encrypting correctly - gadget: drive-by: drop unnecessary/supported passthrough in test gadget.yaml- Cherry pick a compatibility fix for squashfs 4.5+- Fix FTBFS with glib 2.69- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild- New upstream release 2.51.3 - interfaces/builtin: add sd-control interface - store: set ResponseHeaderTimeout on the default transport- New upstream release 2.51.2 - snapstate: remove temporary snap file for local revisions early - interface: allows reading sd cards internal info from block- devices interface - o/ifacestate: do not visit same halt tasks in waitChainSearch to avoid slow convergence (or unlikely cycles) - corecfg: allow using `# snapd-edit: no` header to disable pi- config - configcore: ignore system.pi-config.* setting on measured kernels - many: pass device/model info to configcore via sysconfig.Device interface - o/configstate/configcore: support snap set system swap.size=... - store: make the log with download size a debug one - interfaces/opengl: add support for Imagination PowerVR- New upstream release 2.51.1 - interfaces: add netlink-driver interface - interfaces: builtin: add dm-crypt interface to support external storage encryption - interfaces/dsp: fix typo in udev rule - overlord/snapstate: lock the mutex before returning from stop snap services undo - interfaces: opengl: change path for Xilinx zocl driver - interfaces/dsp: add /dev/cavalry into dsp interface - packaging/fedora/snapd.spec: correct date format in changelog- Relase 2.51 to Fedora (RHBZ#1962474)- New upstream release 2.51 - cmd/snap: stacktraces debug endpoint - secboot: deactivate volume again when model checker fails - store: extra log message, a few minor cleanups - packaging/debian-sid: update systemd patch - snapstate: adjust update-gadget-assets user visible message - tests/nested/core/core20-create-recovery: verify that recovery system can be created at runtime - gadget: support creating vfat partitions during bootstrap - daemon/api_quotas.go: support updating quotas with ensure action - daemon: tighten access to a couple of POST endpoints that should be really be root-only - seed/seedtest, overlord/devicestate: move seed validation helper to seedtest - overlord/hookstate/ctlcmd: remove unneeded parameter - snap/quota: add CurrentMemoryUsage for current memory usage of a quota group - systemd: add CurrentMemoryUsage to get current memory usage for a unit - o/snapstate: introduce minimalInstallInfo interface - o/hookstate: print pending info (ready, inhibited or none) - osutil: a helper to find out the total amount of memory in the system - overlord, overlord/devicestate: allow for reloading modeenv in devicemgr when testing - daemon: refine access testing - spread: disable unattended-upgrades on debian - tests/lib/reset: make nc exit after a while when connection is idle - daemon: replace access control flags on commands with access checkers - release-tools/changelog.py: refactor regexp + file reading/writing - packaging/debian-sid: update locale patch for the latest master - overlord/devicestate: tasks for creating recovery systems at runtime - release-tools/changelog.py: implement script to update all the changelog files - tests: change machine type used for nested testsPrices: - cmd/snap: include locale when linting description being lower case - o/servicestate: add RemoveSnapFromQuota - interfaces/serial-port: add Qualcomm serial port devices to allowed list - packaging: merge 2.50.1 changelog back - interfaces/builtin: introduce raw-input interface - tests: remove tests.cleanup prepare from nested test - cmd/snap-update-ns: fix linter errors - asserts: fix errors reported by linter - o/hookstate/ctlcmd: allow system-mode for non-root - overlord/devicestate: comment why explicit system mode check is needed in ensuring tried recovery systems (#10275) - overlord/devicesate: observe snap writes when creating recovery systems - packaging/ubuntu-16.04/changelog: add placeholder for 2.50.1 - tests: moving to tests directories snaps built locally - part 1 - seed/seedwriter: fail early when system seed directory exists - o/snapstate: autorefresh phase1 for refresh-control - c/snap: more precise message for ErrorKindSystemRestart op != reboot - tests: simplify the tests.cleanup tool - boot: helpers for manipulating current and good recovery systems list - o/hookstate, o/snapstate: print revision, version, channel with snapctl --pending - overlord: unit test tweaks, use well known snap IDs, setup snap declarations for most common snaps - tests/nested/manual: add test for install-device + snapctl reboot - o/servicestate: restart slices + services on modifications - tests: update mount-ns test to support changes in the distro - interfaces: fix linter issues - overlord: mock logger in managers unit tests - tests: adding support for fedora-34 - tests: adding support for debian 10 on gce - boot: reseal given keys when the respective boot chain has changed - secboot: switch encryption key size to 32 byte (thanks to Chris) - interfaces/dbus: allow claiming 'well-known' D-Bus names with a wildcard suffix - spread: bump delta reference version - interfaces: builtin: update permitted paths to be compatible with UC20 - overlord: fix errors reported by linter - tests: remove old fedora systems from tests - tests: update spread url - interfaces/camera: allow devices in /sys/devices/platform/**/usb* - interfaces/udisks2: Allow access to the login manager via dbus - cmd/snap: exit normally if "snap changes" has no changes (LP #1823974) - tests: more fixes for spread suite on openSUSE - tests: fix tests expecting cgroup v1/hybrid on openSUSE Tumbleweed - daemon: fix linter errors - spread: add Fedora 34, leave a TODO about dropping Fedora 32 - interfaces: fix linter errors - tests: use op.paths tools instead of dirs.sh helper - part 2 - client: Fix linter errors - cmd/snap: Fix errors reported by linter - cmd/snap-repair: fix linter issues - cmd/snap-bootstrap: Fix linter errors - tests: update permission denied message for test-snapd-event on ubuntu 2104 - cmd/snap: small tweaks based on previous reviews - snap/snaptest: helper that mocks both the squashfs file and a snap directory - overlord/devicestate: tweak comment about creating recovery systems, formatting tweaks - overlord/devicestate: move devicemgr base suite helpers closer to test suite struct - overlord/devicestate: keep track of tried recovery system - seed/seedwriter: clarify in the diagram when SetInfo is called - overlord/devicestate: add helper for creating recovery systems at runtime - snap-seccomp: update syscalls.go list - boot,image: support image.Customizations.BootFlags - overlord: support snapctl --halt|--poweroff in gadget install- device - features,servicestate: add experimental.quota-groups flag - o/servicestate: address comments from previous PR - tests: basic spread test for snap quota commands - tests: moving the snaps which are not locally built to the store directory - image,c/snap: implement prepare-image --customize - daemon: implement REST API for quota groups (create / list / get) - cmd/snap, client: snap quotas command - o/devicestate,o/hookstate/ctlcmd: introduce SystemModeInfo methods and snapctl system-mode - o/servicestate/quota_control.go: introduce (very) basic group manipulation methods - cmd/snap, client: snap remove-quota command - wrappers, quota: implement quota groups slice generation - snap/quotas: followups from previous PR - cmd/snap: introduce 'snap quota' command - o/configstate/configcore/picfg.go: use ubuntu-seed config.txt in uc20 run mode - o/servicestate: test has internal ordering issues, consider both cases - o/servicestate/quotas: add functions for getting and setting quotas in state - tests: new buckets for snapd-spread project on gce - spread.yaml: update the gce project to start using snapd-spread - quota: new package for managing resource groups - many: bind and check keys against models when using FDE hooks v2 - many: move responsibilities down seboot -> kernel/fde and boot -> secboot - packaging: add placeholder changelog - o/configstate/configcore/vitality: fix RequireMountedSnapdSnap bug - overlord: properly mock usr-lib-snapd tests to mimic an Ubuntu Core system - many: hide EncryptionKey size and refactors for fde hook v2 next steps - tests: adding debug info for create user tests - o/hookstate: add "refresh" command to snapctl (hidden, not complete yet) - systemd: wait for zfs mounts (LP #1922293) - testutil: support referencing files in FileEquals checker - many: refactor to kernel/fde and allow `fde-setup initial-setup` to return json - o/snapstate: store refresh-candidates in the state - o/snapstate: helper for creating gate-auto-refresh hooks - bootloader/bootloadertest: provide interface implementation as mixins, provide a mock for recovery-aware-trusted-asses bootloader - tests/lib/nested: do not compress images, return early when restored from pristine image - boot: split out a helper for making recovery system bootable - tests: update os.query check to match new bullseye codename used on sid images - o/snapstate: helper for getting snaps affected by refresh, define new hook - wrappers: support in EnsureSnapServices a callback to observe changes (#10176) - gadget: multi line support in gadget's cmdline file - daemon: test that requesting restart from (early) Ensure works - tests: use op.paths tools instead of dirs.sh helper - part 1 - tests: add new command to snaps-state to get current core, kernel and gadget - boot, gadget: move opening the snap container into the gadget helper - tests, overlord: extend unit tests, extend spread tests to cover full command line support - interfaces/builtin: introduce dsp interface - boot, bootloader, bootloader/assets: support for full command line override from gadget - overlord/devicestate, overlord/snapstate: add task for updating kernel command lines from gadget - o/snapstate: remove unused DeviceCtx argument of ensureInstallPreconditions - tests/lib/nested: proper status return for tpm/secure boot checks - cmd/snap, boot: add snapd_full_cmdline_args to dumped boot vars - wrappers/services.go: refactor helper lambda function to separate function - boot/flags.go: add HostUbuntuDataForMode - boot: handle updating of components that contribute to kernel command line - tests: add 20.04 to systems for nested/core - daemon: add new accessChecker implementations - boot, overlord/devicestate: consider gadget command lines when updating boot config - tests: fix prepare-image-grub-core18 for arm devices - tests: fix gadget-kernel-refs-update-pc test on arm and when $TRUST_TEST_KEY is false - tests: enable help test for all the systems - boot: set extra command line arguments when preparing run mode - boot: load bits of kernel command line from gadget snaps - tests: update layout for tests - part 2 - tests: update layout for tests - part 1 - tests: remove the snap profiler from the test suite - boot: drop gadget snap yaml which is already defined elsewhere in the tests - boot: set extra kernel command line arguments when making a recovery system bootable - boot: pass gadget path to command line helpers, load gadget from seed - tests: new os.paths tool - daemon: make ucrednetGet() return a *ucrednet structure - boot: derive boot variables for kernel command lines - cmd/snap-bootstrap/initramfs-mounts: fix boot-flags location from initramfs- New upstream release 2.50.1 - interfaces: update permitted /lib/.. paths to be compatible with UC20 - interfaces: builtin: update permitted paths to be compatible with UC20 - interfaces/greengrass-support: delete white spaces at the end of lines - snap-seccomp: update syscalls.go list - many: backport kernel command line for 2.50 - interfaces/dbus: allow claiming 'well-known' D-Bus names with a wildcard suffix - interfaces/camera: allow devices in /sys/devices/platform/**/usb* - interfaces/builtin: introduce dsp interface- Release 2.50 to Fedora (RHBZ#1936784)- New upstream release 2.50 - overlord: properly mock usr-lib-snapd tests to mimic an Ubuntu Core system - o/configstate/configcore/vitality: fix RequireMountedSnapdSnap bug - o/servicestate/servicemgr.go: add ensure loop for snap service units - wrappers/services.go: introduce EnsureSnapServices() - snapstate: add "kernel-assets" to featureSet - systemd: wait for zfs mounts - overlord: make servicestate responsible to compute SnapServiceOptions - boot,tests: move where we write boot-flags one level up - o/configstate: don't pass --root=/ when masking/unmasking/enabling/disabling services - cmd/snap-bootstrap/initramfs-mounts: write active boot-flags to /run - gadget: be more flexible with kernel content resolving - boot, cmd/snap: include extra cmdline args in debug boot-vars output - boot: support read/writing boot-flags from userspace/initramfs - interfaces/pwm: add PWM interface - tests/lib/prepare-restore.sh: clean out snapd changes and snaps before purging - systemd: enrich UnitStatus returned by systemd.Status() with Installed flag - tests: updated restore phase of spread tests - part 1 - gadget: add support for kernel command line provided by the gadget - tests: Using GO111MODULE: "off" in spread.yaml - features: add gate-auto-refresh-hook feature flag - spread: ignore linux kernel upgrade in early stages for arch preparation - tests: use snaps-state commands and remove them from the snaps helper - o/configstate: fix panic with a sequence of config unset ops over same path - api: provide meaningful error message on connect/disconnect for non-installed snap - interfaces/u2f-devices: add HyperFIDO Pro - tests: add simple sanity check for systemctl show --property=UnitFileState for unknown service - tests: use tests.session tool on interfaces-desktop-document- portal test - wrappers: install D-Bus service activation files for snapd session tools on core - many: add x-gvfs-hide option to mount units - interfaces/builtin/gpio_test.go: actually test the generated gpio apparmor - spread: tentative workaround for arch failure caused by libc upgrade and cgroups v2 - tests: add spread test for snap validate against store assertions - tests: remove snaps which are not used in any test - ci: set the accept-existing-contributors parameter for the cla- check action - daemon: introduce apiBaseSuite.(json|sync|async|error)Req (and some apiBaseSuite cosmetics) - o/devicestate/devicemgr: register install-device hook, run if present in install - o/configstate/configcore: simple refactors in preparation for new function - tests: unifying the core20 nested suite with the core nested suite - tests: uboot-unpacked-assets updated to reflect the real path used to find the kernel - daemon: switch api_test.go to daemon_test and various other cleanups - o/configstate/configcore/picfg.go: add hdmi_cvt support - interfaces/apparmor: followup cleanups, comments and tweaks - boot: cmd/snap-bootstrap: handle a candidate recovery system v2 - overlord/snapstate: skip catalog refresh when snappy testing is enabled - overlord/snapstate, overlord/ifacestate: move late security profile removal to ifacestate - snap-seccomp: fix seccomp test on ppc64el - interfaces, interfaces/apparmor, overlord/snapstate: late removal of snap-confine apparmor profiles - cmd/snap-bootstrap/initramfs-mounts: move time forward using assertion times - tests: reset the system while preparing the test suite - tests: fix snap-advise-command check for 429 - gadget: policy for gadget/kernel refreshes - o/configstate: deal with no longer valid refresh.timer=managed - interfaces/udisks2: allow locking /run/mount/utab for udisks 2.8.4 - cla-check: Use has-signed-canonical-cla GitHub Action - tests: validation sets spread test - tests: simplify the reset.sh logic by removing not needed command - overlord/snapstate: make sure that snapd current symlink is not removed during refresh - tests/core/fsck-on-boot: unmount /run/mnt/snapd directly on uc20 - tests/lib/fde-setup-hook: also verify that fde-reveal-key key data is base64 - o/devicestate: split off ensuring next boot goes to run mode into new task - tests: fix cgroup-tracking test - boot: export helper for clearing tried system state, add tests - cmd/snap: use less aggressive client timeouts in unit tests - daemon: fix signing key validity timestamp in unit tests - o/{device,hook}state: encode fde-setup-request key as base64 string - packaging: drop dh-systemd from build-depends on ubuntu-16.04+ - cmd/snap/pack: unhide the compression option - boot: extend set try recovery system unit tests - cmd/snap-bootstrap: refactor handling of ubuntu-save, do not use secboot's implicit fallback - o/configstate/configcore: add hdmi_timings to pi-config - snapstate: reduce reRefreshRetryTimeout to 1/2 second - interfaces/tee: add TEE/OPTEE interface - o/snapstate: update validation sets assertions with auto-refresh - vendor: update go-tpm2/secboot to latest version - seed: ReadSystemEssentialAndBetterEarliestTime - tests: replace while commands with the retry tool - interfaces/builtin: update unit tests to use proper distro's libexecdir - tests: run the reset.sh helper and check test invariants while the test is restored - daemon: switch preexisting daemon_test tests to apiBaseSuite and .req - boot, o/devicestate: split makeBootable20 into two parts - interfaces/docker-support: add autobind unix rules to docker- support - interfaces/apparmor: allow reading /proc/sys/kernel/random/entropy_avail - tests: use retry tool instead a loops - tests/main/uc20-create-partitions: fix tests cleanup - asserts: mode where Database only assumes cur time >= earliest time - daemon: validation sets/api tests cleanup - tests: improve tests self documentation for nested test suite - api: local assertion fallback when it's not in the store - api: validation sets monitor mode - tests: use fs-state tool in interfaces tests - daemon: move out /v2/login|logout and errToResponse tests from api_test.go - boot: helper for inspecting the outcome of a recovery system try - o/configstate, o/snapshotstate: fix handling of nil snap config on snapshot restore - tests: update documentation and checks for interfaces tests - snap-seccomp: add new `close_range` syscall - boot: revert #10009 - gadget: remove `device-tree{,-origin}` from gadget tests - boot: simplify systems test setup - image: write resolved-content from snap prepare-image - boot: reseal the run key for all recovery systems, but recovery keys only for the good ones - interfaces/builtin/network-setup-{control,observe}: allow using netplan directly - tests: improve sections prepare and restore - part 1 - tests: update details on task.yaml files - tests: revert os.query usage in spread.yaml - boot: export bootAssetsMap as AssetsMap - tests/lib/prepare: fix repacking of the UC20 kernel snap for with ubuntu-core-initramfs 40 - client: protect against reading too much data from stdin - tests: improve tests documentation - part 2 - boot: helper for setting up a try recover system - tests: improve tests documentation - part 1 - tests/unit/go: use tests.session wrapper for running tests as a user - tests: improvements for snap-seccomp-syscalls - gadget: simplify filterUpdate (thanks to Maciej) - tests/lib/prepare.sh: use /etc/group and friends from the core20 snap - tests: fix tumbleweed spread tests part 2 - tests: use new commands of os.query tool on tests - o/snapshotstate: create snapshots directory on import - tests/main/lxd/prep-snapd-in-lxd.sh: dump contents of sources.list - packaging: drop 99-snapd.conf via dpkg-maintscript-helper - osutil: add SetTime() w/ 32-bit and 64-bit implementations - interfaces/wayland: rm Xwayland Xauth file access from wayland slot - packaging/ubuntu-16.04/rules: turn modules off explicitly - gadget,devicestate: perform kernel asset update for $kernel: style refs - cmd/recovery: small fix for `snap recovery` tab output - bootloader/lkenv: add recovery systems related variables - tests: fix new tumbleweed image - boot: fix typo, should be systems - o/devicestate: test that users.create.automatic is configured early - asserts: use Fetcher in AddSequenceToUpdate - daemon,o/c/configcore: introduce users.create.automatic - client, o/servicestate: expose enabled state of user daemons - boot: helper for checking and marking tried recovery system status from initramfs - asserts: pool changes for validation-sets (#9930) - daemon: move the last api_foo_test.go to daemon_test - asserts: include the assertion timestamp in error message when outside of signing key validity range - ovelord/snapshotstate: keep a few of the last line tar prints before failing - gadget/many: rm, delay sector size + structure size checks to runtime - cmd/snap-bootstrap/triggerwatch: fix returning wrong errors - interfaces: add allegro-vcu and media-control interfaces - interfaces: opengl: add Xilinx zocl bits - mkversion: check that version from changelog is set before overriding the output version - many: fix new ineffassign warnings - .github/workflows/labeler.yaml: try work-around to not sync labels - cmd/snap, boot: add debug set-boot-vars - interfaces: allow reading the Xauthority file KDE Plasma writes for Wayland sessions - tests/main/snap-repair: test running repair assertion w/ fakestore - tests: disable lxd tests for 21.04 until the lxd images are published for the system - tests/regression/lp-1910456: cleanup the /snap symlink when done - daemon: move single snap querying and ops to api_snaps.go - tests: fix for preseed and dbus tests on 21.04 - overlord/snapshotstate: include the last message printed by tar in the error - interfaces/system-observe: Allow reading /proc/zoneinfo - interfaces: remove apparmor downgrade feature - snap: fix unit tests on Go 1.16 - spread: disable Go modules support in environment - tests: use new path to find kernel.img in uc20 for arm devices - tests: find files before using cat command when checking broadcom- asic-control interface - boot: introduce good recovery systems, provide compatibility handling - overlord: add manager gadget refresh test - tests/lib/fakestore: support repair assertions too - github: temporarily disable action labeler due to issues with labels being removed - o/devicestate,many: introduce DeviceManager.preloadGadget for EarlyConfig - tests: enable ubuntu 21.04 for spread tests - snap: provide a useful error message if gdbserver is not installed - data/selinux: allow system dbus to watch /var/lib/snapd/dbus-1 - tests/lib/prepare.sh: split reflash.sh into two parts - packaging/opensuse: sync with openSUSE packaging - packaging: disable Go modules in snapd.mk - snap: add deprecation noticed to "snap run --gdb" - daemon: add API for checking and installing available theme snaps - tests: using labeler action to add automatically a label to run nested tests - gadget: improve error handling around resolving content sources - asserts: repeat the authority cross-check in CheckSignature as well - interfaces/seccomp/template.go: allow copy_file_range - o/snapstate/check_snap.go: add support for many subversions in assumes snapdX.. - daemon: move postSnap and inst.dispatch tests to api_snaps_test.go - wrappers: use proper paths for mocked mount units in tests - snap: rename gdbserver option to `snap run --gdbserver` - store: support validation sets with fetch-assertions action - snap-confine.apparmor.in: support tmp and log dirs on Yocto/Poky - packaging/fedora: sync with downstream packaging in Fedora - many: add Delegate=true to generated systemd units for special interfaces (master) - boot: use a common helper for mocking boot assets in cache - api: validate snaps against validation set assert from the store - wrappers: don't generate an [Install] section for timer or dbus activated services - tests/nested/core20/boot-config-update: skip when snapd was not built with test features - o/configstate,o/devicestate: introduce devicestate.EarlyConfig implemented by configstate.EarlyConfig - cmd/snap-bootstrap/initramfs-mounts: fix typo in func name - interfaces/builtin: mock distribution in fontconfig cache unit tests - tests/lib/prepare.sh: add another console= to the reflash magic grub entry - overlord/servicestate: expose dbus activators of a service - desktop/notification: test against a real session bus and notification server implementation - cmd/snap-bootstrap/initramfs-mounts: write realistic modeenv for recover+install - HACKING.md: explain how to run UC20 spread tests with QEMU - asserts: introduce AtSequence - overlord/devicestate: task for updating boot configs, spread test - gadget: fix documentation/typos - gadget: cleanup MountedFilesystem{Writer,Updater} - gadget: use ResolvedSource in MountedFilesystemWriter - snap/info.go: add doc-comment for SortServices - interfaces: add an optional mount-host-font-cache plug attribute to the desktop interface - osutil: skip TestReadBuildGo inside sbuild - o/hookstate/ctlcmd: add optional --pid and --apparmor-label arguments to "snapctl is-connected" - data/env/snapd: use quoting in case PATH contains spaces - boot: do not observe successful boot assets if not in run mode - tests: fix umount for snapd snap on fsck-on-boot testumount: /run/mnt/ubuntu-seed/systems/*/snaps/snapd_*.snap: no mount - misc: little tweaks - snap/info.go: ignore unknown daemons in SortSnapServices - devicestate: keep log from install-mode on installed system - seed: add LoadEssentialMeta to seed16 and allow all of its implementations to be called multiple times - cmd/snap-preseed: initialize snap.SanitizePlugsSlots for gadget in seeds - tests/core/uc20-recovery: move recover mode helpers to generic testslib script - interfaces/fwupd: allow any distros to access fw files via fwupd - store: method for fetching validation set assertion - store: switch to v2/assertions api - gadget: add new ResolvedContent and populate from LayoutVolume() - spread: use full format when listing processes - osutil/many: make all test pkgs osutil_test instead of "osutil" - tests/unit/go: drop unused environment variables, skip coverage - OpenGL interface: Support more Tegra libs - gadget,overlord: pass kernelRoot to install.Run() - tests: run unit tests in Focal instead of Xenial - interfaces/browser-support: allow sched_setaffinity with browser- sandbox: true - daemon: move query /snaps/ tests to api_snaps_test.go - cmd/snap-repair/runner.go: add SNAP_SYSTEM_MODE to env of repair runner - systemd/systemd.go: support journald JSON messages with arrays for values - cmd: make string/error code more robust against errno leaking - github, run-checks: do not collect coverage data on subsequent test runs - boot: boot config update & reseal - o/snapshotstate: handle conflicts between snapshot forget, export and import - osutil/stat.go: add RegularFileExists - cmd/snapd-generator: don't create mount overrides for snap-try snaps inside lxc - gadget/gadget.go: rename ubuntu-* to system-* in doc-comment - tests: use 6 spread workers for centos8 - bootloader/assets: support injecting bootloader assets in testing builds of snapd - gadget: enable multi-volume uc20 gadgets in LaidOutSystemVolumeFromGadget; rename too - overlord/devicestate, sysconfig: do nothing when cloud-init is not present - cmd/snap-repair: filter repair assertions based on bases + modes - snap-confine: make host /etc/ssl available for snaps on classic- New upstream release 2.49.2 - interfaces/tee: add TEE/OPTEE interface - o/configstate/configcore: add hdmi_timings to pi-config - interfaces/udisks2: allow locking /run/mount/utab for udisks 2.8.4 - snap-seccomp: fix seccomp test on ppc64el - interfaces{,/apparmor}, overlord/snapstate: late removal of snap-confine apparmor profiles - overlord/snapstate, wrappers: add dependency on usr-lib- snapd.mount for services on core with snapd snap - o/configstate: deal with no longer valid refresh.timer=managed - overlord/snapstate: make sure that snapd current symlink is not removed during refresh - packaging: drop dh-systemd from build-depends on ubuntu-16.04+ - o/{device,hook}state: encode fde-setup-request key as base64 - snapstate: reduce reRefreshRetryTimeout to 1/2 second - tests/main/uc20-create-partitions: fix tests cleanup - o/configstate, o/snapshotstate: fix handling of nil snap config on snapshot restore - snap-seccomp: add new `close_range` syscall- New upstream release 2.49.1 - tests: turn modules off explicitly in spread go unti test - o/snapshotstate: create snapshots directory on import - cmd/snap-bootstrap/triggerwatch: fix returning wrong errors - interfaces: add allegro-vcu and media-control interfaces - interfaces: opengl: add Xilinx zocl bits - many: fix new ineffassign warnings - interfaces/seccomp/template.go: allow copy_file_range - interfaces: allow reading the Xauthority file KDE Plasma writes for Wayland sessions - data/selinux: allow system dbus to watch /var/lib/snapd/dbus-1 - Remove apparmor downgrade feature - Support tmp and log dirs on Yocto/Poky- Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583.- Fix SELinux policy to allow dbus-daemon watch access on /var/lib/snapd/dbus-1 (LP#1915642)- Release snapd 2.49 to Fedora (RHBZ#1927314) - Include fix for CVE-2020-27352 (RHBZ#1927428, RHBZ#1927432)- New upstream release 2.49 - many: add Delegate=true to generated systemd units for special interfaces - cmd/snap-bootstrap: rename ModeenvFromModel to EphemeralModeenvForModel - cmd/snap-bootstrap/initramfs-mounts: write realistic modeenv for recover+install - osutil: skip TestReadBuildGo inside sbuild - tests: fix umount for snapd snap on fsck-on-boot test - snap/info_test.go: add unit test cases for bug - tests/main/services-after-before: add regression spread test - snap/info.go: ignore unknown daemons in SortSnapServices - cmd/snap-preseed: initialize snap.SanitizePlugsSlots for gadget in seeds - OpenGL interface: Support more Tegra libs - interfaces/browser-support: allow sched_setaffinity with browser- sandbox: true - cmd: make string/error code more robust against errno leaking - o/snapshotstate: handle conflicts between snapshot forget, export and import - cmd/snapd-generator: don't create mount overrides for snap-try snaps inside lxc - tests: update test pkg for fedora and centos - gadget: pass sector size in to mkfs family of functions, use to select block sz - o/snapshotstate: fix returning of snap names when duplicated snapshot is detected - tests/main/snap-network-errors: skip flushing dns cache on centos-7 - interfaces/builtin: Allow DBus property access on org.freedesktop.Notifications - cgroup-support.c: fix link to CGROUP DELEGATION - osutil: update go-udev package - packaging: fix arch-indep build on debian-sid - {,sec}boot: pass "key-name" to the FDE hooks - asserts: sort by revision with Sort interface - gadget: add gadget.ResolveContentPaths() - cmd/snap-repair: save base snap and mode in device info; other misc cleanups - tests: cleanup the run-checks script - asserts: snapasserts method to validate installed snaps against validation sets - tests: normalize test tools - part 1 - snapshotstate: detect duplicated snapshot imports - interfaces/builtin: fix unit test expecting snap-device-helper at /usr/lib/snapd - tests: apply workaround done for snap-advise-command to apt-hooks test - tests: skip main part of snap-advise test if 429 error is encountered - many: clarify gadget role-usage consistency checks for UC16/18 vs UC20 - sandbox/cgroup, tess/main: fix unit tests on v2 system, disable broken tests on sid - interfaces/builtin: more drive by fixes, import ordering, removing dead code - tests: skip interfaces-openvswitch spread test on debian sid - interfaces/apparmor: drive by comment fix - cmd/libsnap-confine-private/cleanup-funcs-test.c: rm g_autofree usage - cmd/libsnap-confine-private: make unit tests execute happily in a container - interfaces, wrappers: misc comment fixes, etc. - asserts/repair.go: add "bases" and "modes" support to the repair assertion - interfaces/opengl: allow RPi MMAL video decoding - snap: skip help output tests for go-flags v1.4.0 - gadget: add validation for "$kernel:ref" style content - packaging/deb, tests/main/lxd-postrm-purge: fix purge inside containers - spdx: update to SPDX license list version: 3.11 2020-11-25 - tests: improve hotplug test setup on classic - tests: update check to verify is the current system is arm - tests: use os-query tool to check debian, trusty and tumbleweed - daemon: start moving implementation to api_snaps.go - tests/main/snap-validate-basic: disable test on Fedora due to go- flags panics - tests: fix library path used for tests.pkgs - tests/main/cohorts: replace yq with a Python snippet - run-checks: update to match new argument syntax of ineffassign - tests: use apiBaseSuite for snapshots tests, fix import endpoint path - many: separate consistency/content validation into gadget.Validate|Content - o/{device,snap}state: enable devmode snaps with dangerous model assertions secboot: add test for when systemd-run does not honor RuntimeMaxSec - secboot: add workaround for snapcore/core-initrd issue #13 - devicestate: log checkEncryption errors via logger.Noticef - o/daemon: validation sets api and basic spread test - gadget: move BuildPartitionList to install and make it unexported - tests: add nested spread end-to-end test for fde-hooks - devicestate: implement checkFDEFeatures() - boot: tweak resealing with fde-setup hooks - tests: add os query commands for subsystems and architectures - o/snapshotstate: don't set auto flag in the snapshot file - tests: use os.query tool instead of comparing the system var - testutil: use the original environment when calling shellcheck - sysconfig/cloudinit.go: add "manual_cache_clean: true" to cloud- init restrict file - gadget,o/devicestate,tests: drop EffectiveFilesystemLabel and instead set the implicit labels when loading the yaml - secboot: add new LockSealedKeys() that uses either TPM/fde-reveal- key - gadget/quantity: introduce Offset, start using it for offset related fields in the gadget - gadget: use "sealed-keys" to determine what method to use for reseal - tests/main/fake-netplan-apply: disable test on xenial for now - daemon: start splitting snaps op tests out of api_test.go - testutil: make DBusTest use a custom bus configuration file - tests: replace pkgdb.sh (library) with tests.pkgs (program) - gadget: prepare gadget kernel refs (0/N) - interfaces/builtin/docker-support: allow /run/containerd/s/... - cmd/snap-preseed: reset run inhibit locks on --reset. - boot: add sealKeyToModeenvUsingFdeSetupHook() - daemon: reorg snap.go and split out sections and icons support from api.go - sandbox/seccomp: use snap-seccomp's stdout for getting version info - daemon: split find support to its own api_*.go files and move some helpers - tests: move snapstate config defaults tests to a separate file. - bootloader/{lk,lkenv}: followups from #9695 - daemon: actually move APIBaseSuite to daemon_test.apiBaseSuite - gadget,o/devicestate: set implicit values for schema and role directly instead of relying on Effective* accessors - daemon: split aliases support to its own api_*.go files - gadget: start separating rule/convention validation from basic soundness - cmd/snap-update-ns: add better unit test for overname sorting - secboot: use `fde-reveal-key` if available to unseal key - tests: fix lp-1899664 test when snapd_x1 is not installed in the system - tests: fix the scenario when the "$SRC".orig file does not exist - cmd/snap-update-ns: fix sorting of overname mount entries wrt other entries - devicestate: add runFDESetupHook() helper - bootloader/lk: add support for UC20 lk bootloader with V2 lkenv structs - daemon: split unsupported buy implementation to its own api_*.go files - tests: download timeout spread test - gadget,o/devicestate: hybrid 18->20 ready volume setups should be valid - o/devicestate: save model with serial in the device save db - bootloader: add check for prepare-image time and more tests validating options - interfaces/builtin/log_observe.go: allow controlling apparmor audit levels - hookstate: refactor around EphemeralRunHook - cmd/snap: implement 'snap validate' command - secboot,devicestate: add scaffoling for "fde-reveal-key" support - boot: observe successful command line update, provide a default - tests: New queries for the os tools - bootloader/lkenv: specify backup file as arg to NewEnv(), use "" as path+"bak" - osutil/disks: add FindMatchingPartitionUUIDWithPartLabel to Disk iface - daemon: split out snapctl support and snap configuration support to their own api_*.go files - snapshotstate: improve handling of multiple errors - tests: sign new nested-18|20* models to allow for generic serials - bootloader: remove installableBootloader interface and methods - seed: cleanup/drop some no longer valid TODOS, clarify some other points - boot: set kernel command line in modeenv during install - many: rename disks.FindMatching... to FindMatching...WithFsLabel and err type - cmd/snap: suppress a case of spurious stdout logging from tests - hookstate: add new HookManager.EphemeralRunHook() - daemon: move some more api tests from daemon to daemon_test - daemon: split apps and logs endpoints to api_apps.go and tests - interfaces/utf: Add Ledger to U2F devices - seed/seedwriter: consider modes when checking for deps availability - o/devicestate,daemon: fix reboot system action to not require a system label - cmd/snap-repair,store: increase initial retry time intervals, stalling TODOs - daemon: split interfacesCmd to api_interfaces.go - github: run nested suite when commit is pushed to release branch - client: reduce again the /v2/system-info timeout - tests: reset fakestore unit status - update-pot: fix typo in plural keyword spec - tests: remove workarounds that add "ubuntu-save" if missing - tests: add unit test for auto-refresh with validate-snap failure - osutil: add helper for getting the kernel command line - tests/main/uc20-create-partitions: verify ubuntu-save encryption keys, tweak not MATCH - boot: add kernel command lines to the modeenv file - spread: bump delta ref, tweak repacking to make smaller delta archives - bootloader/lkenv: add v2 struct + support using it - snapshotstate: add cleanup of abandonded snapshot imports - tests: fix uc20-create-parition-* tests for updated gadget - daemon: split out /v2/interfaces tests to api_interfaces_test.go - hookstate: implement snapctl fde-setup-{request,result} - wrappers, o/devicestate: remove EnableSnapServices - tests: enable nested on 20.10 - daemon: simplify test helpers Get|PostReq into Req - daemon: move general api to api_general*.go - devicestate: make checkEncryption fde-setup hook aware - client/snapctl, store: fix typos - tests/main/lxd/prep-snapd-in-lxd.sh: wait for valid apt files before doing apt ops - cmd/snap-bootstrap: update model cross-check considerations - client,snapctl: add naive support for "stdin" - many: add new "install-mode: disable" option - osutil/disks: allow building on mac os - data/selinux: update the policy to allow operations on non-tmpfs /tmp - boot: add helper for generating candidate kernel lines for recovery system - wrappers: generate D-Bus service activation files - bootloader/many: rm ConfigFile, add Present for indicating presence of bloader - osutil/disks: allow mocking DiskFromDeviceName - daemon: start cleaning up api tests - packaging/arch: sync with AUR packaging - bootloader: indicate when boot config was updated - tests: Fix snap-debug-bootvars test to make it work on arm devices and core18 - tests/nested/manual/core20-save: verify handling of ubuntu-save with different system variants - snap: use the boot-base for kernel hooks - devicestate: support "storage-safety" defaults during install - bootloader/lkenv: mv v1 to separate file, include/lk/snappy_boot_v1.h: little fixups - interfaces/fpga: add fpga interface - store: download timeout - vendor: update secboot repo to avoid including secboot.test binary - osutil: add KernelCommandLineKeyValue - gadget/gadget.go: allow system-recovery-{image,select} as roles in gadget.yaml - devicestate: implement boot.HasFDESetupHook - osutil/disks: add DiskFromName to get a disk using a udev name - usersession/agent: have session agent connect to the D-Bus session bus - o/servicestate: preserve order of services on snap restart - o/servicestate: unlock state before calling wrappers in doServiceControl - spread: disable unattended-upgrades on ubuntu - tests: testing new fedora 33 image - tests: fix fsck on boot on arm devices - tests: skip boot state test on arm devices - tests: updated the systems to run prepare-image-grub test - interfaces/raw_usb: allow read access to /proc/tty/drivers - tests: unmount /boot/efi in fsck-on-boot test - strutil/shlex,osutil/udev/netlink: minimally import go-check - tests: fix basic20 test on arm devices - seed: make a shared seed system label validation helper - tests/many: enable some uc20 tests, delete old unneeded tests or TODOs - boot/makebootable.go: set snapd_recovery_mode=install at image- build time - tests: migrate test from boot.sh helper to boot-state tool - asserts: implement "storage-safety" in uc20 model assertion - bootloader: use ForGadget when installing boot config - spread: UC20 no longer needs 2GB of mem - cmd/snap-confine: implement snap-device-helper internally - bootloader/grub: replace old reference to Managed...Blr... with Trusted...Blr... - cmd/snap-bootstrap: add readme for snap-bootstrap + real state diagram - interfaces: fix greengrass attr namingThe flavor attribute names are now as follows: - tests/lib/nested: poke the API to get the snap revisions - tests: compare options of mount units created by snapd and snapd- generator - o/snapstate,servicestate: use service-control task for service actions - sandbox: track applications unconditionally - interfaces/greengrass-support: add additional "process" flavor for 1.11 update - cmd/snap-bootstrap, secboot, tests: misc cleanups, add spread test- Explicitly disable go module support during build (RHBZ#1923716)- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild- Release 2.48.2 to Fedora (RHBZ#1899700)- New upstream release 2.48.2 - tests: sign new nested-18|20* models to allow for generic serials - secboot: add extra paranoia when waiting for that fde-reveal-key - tests: backport netplan workarounds from #9785 - secboot: add workaround for snapcore/core-initrd issue #13 - devicestate: log checkEncryption errors via logger.Noticef - tests: add nested spread end-to-end test for fde-hooks - devicestate: implement checkFDEFeatures() - boot: tweak resealing with fde-setup hooks - sysconfig/cloudinit.go: add "manual_cache_clean: true" to cloud- init restrict file - secboot: add new LockSealedKeys() that uses either TPM or fde-reveal-key - gadget: use "sealed-keys" to determine what method to use for reseal - boot: add sealKeyToModeenvUsingFdeSetupHook() - secboot: use `fde-reveal-key` if available to unseal key - cmd/snap-update-ns: fix sorting of overname mount entries wrt other entries - o/devicestate: save model with serial in the device save db - devicestate: add runFDESetupHook() helper - secboot,devicestate: add scaffoling for "fde-reveal-key" support - hookstate: add new HookManager.EphemeralRunHook() - update-pot: fix typo in plural keyword spec - store,cmd/snap-repair: increase initial expontential time intervals - o/devicestate,daemon: fix reboot system action to not require a system label - github: run nested suite when commit is pushed to release branch - tests: reset fakestore unit status - tests: fix uc20-create-parition-* tests for updated gadget - hookstate: implement snapctl fde-setup-{request,result} - devicestate: make checkEncryption fde-setup hook aware - client,snapctl: add naive support for "stdin" - devicestate: support "storage-safety" defaults during install - snap: use the boot-base for kernel hooks - vendor: update secboot repo to avoid including secboot.test binary- New upstream release 2.48.1 - gadget: disable ubuntu-boot role validation check- New upstream release 2.48 - osutil: add KernelCommandLineKeyValue - devicestate: implement boot.HasFDESetupHook - boot/makebootable.go: set snapd_recovery_mode=install at image- build time - bootloader: use ForGadget when installing boot config - interfaces/raw_usb: allow read access to /proc/tty/drivers - boot: add scaffolding for "fde-setup" hook support for sealing - tests: fix basic20 test on arm devices - seed: make a shared seed system label validation helper - snap: add new "fde-setup" hooktype - cmd/snap-bootstrap, secboot, tests: misc cleanups, add spread test - secboot,cmd/snap-bootstrap: fix degraded mode cases with better device handling - boot,dirs,c/snap-bootstrap: avoid InstallHost* at the cost of some messiness - tests/nested/manual/refresh-revert-fundamentals: temporarily disable secure boot - snap-bootstrap,secboot: call BlockPCRProtectionPolicies in all boot modes - many: address degraded recover mode feedback, cleanups - tests: Use systemd-run on tests part2 - tests: set the opensuse tumbleweed system as manual in spread.yaml - secboot: call BlockPCRProtectionPolicies even if the TPM is disabled - vendor: update to current secboot - cmd/snap-bootstrap,o/devicestate: use a secret to pair data and save - spread.yaml: increase number of workers on 20.10 - snap: add new `snap recovery --show-keys` option - tests: minor test tweaks suggested in the review of 9607 - snapd-generator: set standard snapfuse options when generating units for containers - tests: enable lxd test on ubuntu-core-20 and 16.04-32 - interfaces: share /tmp/.X11-unix/ from host or provider - tests: enable main lxd test on 20.10 - cmd/s-b/initramfs-mounts: refactor recover mode to implement degraded mode - gadget/install: add progress logging - packaging: keep secboot/encrypt_dummy.go in debian - interfaces/udev: use distro specific path to snap-device-helper - o/devistate: fix chaining of tasks related to regular snaps when preseeding - gadget, overlord/devicestate: validate that system supports encrypted data before install - interfaces/fwupd: enforce the confined fwupd to align Ubuntu Core ESP layout - many: add /v2/system-recovery-keys API and client - secboot, many: return UnlockMethod from Unlock* methods for future usage - many: mv keys to ubuntu-boot, move model file, rename keyring prefix for secboot - tests: using systemd-run instead of manually create a systemd unit - part 1 - secboot, cmd/snap-bootstrap: enable or disable activation with recovery key - secboot: refactor Unlock...IfEncrypted to take keyfile + check disks first - secboot: add LockTPMSealedKeys() to lock access to keys independently - gadget: correct sfdisk arguments - bootloader/assets/grub: adjust fwsetup menuentry label - tests: new boot state tool - spread: use the official image for Ubuntu 20.10, no longer an unstable system - tests/lib/nested: enable snapd logging to console for core18 - osutil/disks: re-implement partition searching for disk w/ non- adjacent parts - tests: using the nested-state tool in nested tests - many: seal a fallback object to the recovery boot chain - gadget, gadget/install: move helpers to install package, refactor unit tests - dirs: add "gentoo" to altDirDistros - update-pot: include file locations in translation template, and extract strings from desktop files - gadget/many: drop usage of gpt attr 59 for indicating creation of partitions - gadget/quantity: tweak test name - snap: fix failing unittest for quantity.FormatDuration() - gadget/quantity: introduce a new package that captures quantities - o/devicestate,a/sysdb: make a backup of the device serial to save - tests: fix rare interaction of tests.session and specific tests - features: enable classic-preserves-xdg-runtime-dir - tests/nested/core20/save: check the bind mount and size bump - o/devicetate,dirs: keep device keys in ubuntu-save/save for UC20 - tests: rename hasHooks to hasInterfaceHooks in the ifacestate tests - o/devicestate: unit test tweaks - boot: store the TPM{PolicyAuthKey,LockoutAuth}File in ubuntu-save - testutil, cmd/snap/version: fix misc little errors - overlord/devicestate: bind mount ubuntu-save under /var/lib/snapd/save on startup - gadget/internal: tune ext4 setting for smaller filesystems - tests/nested/core20/save: a test that verifies ubuntu-save is present and set up - tests: update google sru backend to support groovy - o/ifacestate: handle interface hooks when preseeding - tests: re-enable the apt hooks test - interfaces,snap: use correct type: {os,snapd} for test data - secboot: set metadata and keyslots sizes when formatting LUKS2 volumes - tests: improve uc20-create-partitions-reinstall test - client, daemon, cmd/snap: cleanups from #9489 + more unit tests - cmd/snap-bootstrap: mount ubuntu-save during boot if present - secboot: fix doc comment on helper for unlocking volume with key - tests: add spread test for refreshing from an old snapd and core18 - o/snapstate: generate snapd snap wrappers again after restart on refresh - secboot: version bump, unlock volume with key - tests/snap-advise-command: re-enable test - cmd/snap, snapmgr, tests: cleanups after #9418 - interfaces: deny connected x11 plugs access to ICE - daemon,client: write and read a maintenance.json file for when snapd is shut down - many: update to secboot v1 (part 1) - osutil/disks/mockdisk: panic if same mountpoint shows up again with diff opts - tests/nested/core20/gadget,kernel-reseal: add sanity checks to the reseal tests - many: implement snap routine console-conf-start for synchronizing auto-refreshes - dirs, boot: add ubuntu-save directories and related locations - usersession: fix typo in test name - overlord/snapstate: refactor ihibitRefresh - overlord/snapstate: stop warning about inhibited refreshes - cmd/snap: do not hardcode snapshot age value - overlord,usersession: initial notifications of pending refreshes - tests: add a unit test for UpdateMany where a single snap fails - o/snapstate/catalogrefresh.go: don't refresh catalog in install mode uc20 - tests: also check snapst.Current in undo-unlink tests - tests: new nested tool - o/snapstate: implement undo handler for unlink-snap - tests: clean systems.sh helper and migrate last set of tests - tests: moving the lib section from systems.sh helper to os.query tool - tests/uc20-create-partitions: don't check for grub.cfg - packaging: make sure that static binaries are indeed static, fix openSUSE - many: have install return encryption keys for data and save, improve tests - overlord: add link participant for linkage transitions - tests: lxd smoke test - tests: add tests for fsck; cmd/s-b/initramfs-mounts: fsck ubuntu- seed too - tests: moving main suite from systems.sh to os.query tool - tests: moving the core test suite from systems.sh to os.query tool - cmd/snap-confine: mask host's apparmor config - o/snapstate: move setting updated SnapState after error paths - tests: add value to INSTANCE_KEY/regular - spread, tests: tweaks for openSUSE - cmd/snap-confine: update path to snap-device-helper in AppArmor profile - tests: new os.query tool - overlord/snapshotstate/backend: specify tar format for snapshots - tests/nested/manual/minimal-smoke: use 384MB of RAM for nested UC20 - client,daemon,snap: auto-import does not error on managed devices - interfaces: PTP hardware clock interface - tests: use tests.backup tool - many: verify that unit tests work with nosecboot tag and without secboot package - wrappers: do not error out on read-only /etc/dbus-1/session.d filesystem on core18 - snapshots: import of a snapshot set - tests: more output for sbuild test - o/snapstate: re-order remove tasks for individual snap revisions to remove current last - boot: skip some unit tests when running as root - o/assertstate: introduce ValidationTrackingKey/ValidationSetTracking and basic methods - many: allow ignoring running apps for specific request - tests: allow the searching test to fail under load - overlord/snapstate: inhibit startup while unlinked - seed/seedwriter/writer.go: check DevModeConfinement for dangerous features - tests/main/sudo-env: snap bin is available on Fedora - boot, overlord/devicestate: list trusted and managed assets upfront - gadget, gadget/install: support for ubuntu-save, create one during install if needed - spread-shellcheck: temporary workaround for deadlock, drop unnecessary test - snap: support different exit-code in the snap command - logger: use strutil.KernelCommandLineSplit in debugEnabledOnKernelCmdline - logger: fix snapd.debug=1 parsing - overlord: increase refresh postpone limit to 14 days - spread-shellcheck: use single thread pool executor - gadget/install,secboot: add debug messages - spread-shellcheck: speed up spread-shellcheck even more - spread-shellcheck: process paths from arguments in parallel - tests: tweak error from tests.cleanup - spread: remove workaround for openSUSE go issue - o/configstate: create /etc/sysctl.d when applying early config defaults - tests: new tests.backup tool - tests: add tests.cleanup pop sub-command - tests: migration of the main suite to snaps-state tool part 6 - tests: fix journal-state test - cmd/snap-bootstrap/initramfs-mounts: split off new helper for misc recover files - cmd/snap-bootstrap/initramfs-mounts: also copy /etc/machine-id for same IP addr - packaging/{ubuntu,debian}: add liblzo2-dev as a dependency for building snapd - boot, gadget, bootloader: observer preserves managed bootloader configs - tests/nested/manual: add uc20 grade signed cloud-init test - o/snapstate/autorefresh.go: eliminate race when launching autorefresh - daemon,snapshotstate: do not return "size" from Import() - daemon: limit reading from snapshot import to Content-Length - many: set/expect Content-Length header when importing snapshots - github: switch from ::set-env command to environment file - tests: migration of the main suite to snaps-state tool part 5 - client: cleanup the Client.raw* and Client.do* method families - tests: moving main suite to snaps-state tool part 4 - client,daemon,snap: use constant for snapshot content-type - many: fix typos and repeated "the" - secboot: fix tpm connection leak when it's not enabled - many: scaffolding for snapshots import API - run-checks: run spread-shellcheck too - interfaces: update network-manager interface to allow ObjectManager access from unconfined clients - tests: move core and regression suites to snaps-state tool - tests: moving interfaces tests to snaps-state tool - gadget: preserve files when indicated by content change observer - tests: moving smoke test suite and some tests from main suite to snaps-state tool - o/snapshotstate: pass set id to backend.Open, update tests - asserts/snapasserts: introduce ValidationSets - o/snapshotstate: improve allocation of new set IDs - boot: look at the gadget for run mode bootloader when making the system bootable - cmd/snap: allow snap help vs --all to diverge purposefully - usersession/userd: separate bus name ownership from defining interfaces - o/snapshotstate: set snapshot set id from its filename - o/snapstate: move remove-related tests to snapstate_remove_test.go - desktop/notification: switch ExpireTimeout to time.Duration - desktop/notification: add unit tests - snap: snap help output refresh - tests/nested/manual/preseed: include a system-usernames snap when preseeding - tests: fix sudo-env test - tests: fix nested core20 shellcheck bug - tests/lib: move to new directory when restoring PWD, cleanup unpacked unpacked snap directories - desktop/notification: add bindings for FDO notifications - dbustest: fix stale comment references - many: move ManagedAssetsBootloader into TrustedAssetsBootloader, drop former - snap-repair: add uc20 support - tests: print all the serial logs for the nested test - o/snapstate/check_snap_test.go: mock osutil.Find{U,G}id to avoid bug in test - cmd/snap/auto-import: stop importing system user assertions from initramfs mnts - osutil/group.go: treat all non-nil errs from user.Lookup{Group,} as Unknown* - asserts: deserialize grouping only once in Pool.AddBatch if needed - gadget: allow content observer to have opinions about a change - tests: new snaps-state command - part1 - o/assertstate: support refreshing any number of snap-declarations - boot: use test helpers - tests/core/snap-debug-bootvars: also check snap_mode - many/apparmor: adjust rules for reading profile/ execing new profiles for new kernel - tests/core/snap-debug-bootvars: spread test for snap debug boot- vars - tests/lib/nested.sh: more little tweaks - tests/nested/manual/grade-signed-above-testkeys-boot: enable kvm - cmd/s-b/initramfs-mounts: use ConfigureTargetSystem for install, recover modes - overlord: explicitly set refresh-app-awareness in tests - kernel: remove "edition" from kernel.yaml and add "update" - spread: drop vendor from the packed project archive - boot: fix debug bootloader variables dump on UC20 systems - wrappers, systemd: allow empty root dir and conditionally do not pass --root to systemctl - tests/nested/manual: add test for grades above signed booting with testkeys - tests/nested: misc robustness fixes - o/assertstate,asserts: use bulk refresh to refresh snap- declarations - tests/lib/prepare.sh: stop patching the uc20 initrd since it has been updated now - tests/nested/manual/refresh-revert-fundamentals: re-enable test - update-pot: ignore .go files inside .git when running xgettext-go - tests: disable part of the lxd test completely on 16.04. - o/snapshotstate: tweak comment regarding snapshot filename - o/snapstate: improve snapshot iteration - bootloader: lk cleanups - tests: update to support nested kvm without reboots on UC20 - tests/nested/manual/preseed: disable system-key check for 20.04 image - spread.yaml: add ubuntu-20.10-64 to qemu - store: handle v2 error when fetching assertions - gadget: resolve device mapper devices for fallback device lookup - tests/nested/cloud-init-many: simplify tests and unify helpers/seed inputs - tests: copy /usr/lib/snapd/info to correct directory - check-pr-title.py * : allow "*" in the first part of the title - many: typos and small test tweak - tests/main/lxd: disable cgroup combination for 16.04 that is failing a lot - tests: make nested signing helpers less confusing - tests: misc nested changes - tests/nested/manual/refresh-revert-fundamentals: disable temporarily - tests/lib/cla_check: default to Python 3, tweaks, formatting - tests/lib/cl_check.py: use python3 compatible code- Release 2.47.1 to Fedora (RHBZ#1872528)- New upstream release 2.47.1 - o/configstate: create /etc/sysctl.d when applying early config defaults - cmd/snap-bootstrap/initramfs-mounts: also copy /etc/machine-id for same IP addr - packaging/{ubuntu,debian}: add liblzo2-dev as a dependency for building snapd - cmd/snap: allow snap help vs --all to diverge purposefully - snap: snap help output refresh- New upstream release 2.47 - tests: fix nested core20 shellcheck bug - many/apparmor: adjust rule for reading apparmor profile for new kernel - snap-repair: add uc20 support - cmd/snap/auto-import: stop importing system user assertions from initramfs mnts - cmd/s-b/initramfs-mounts: use ConfigureTargetSystem for install, recover modes - gadget: resolve device mapper devices for fallback device lookup - secboot: add boot manager profile to pcr protection profile - sysconfig,o/devicestate: mv DisableNoCloud to DisableAfterLocalDatasourcesRun - tests: make gadget-reseal more robust - tests: skip nested images pre-configuration by default - tests: fix for basic20 test running on external backend and rpi - tests: improve kernel reseal test - boot: adjust comments, naming, log success around reseal - tests/nested, fakestore: changes necessary to run nested uc20 signed/secured tests - tests: add nested core20 gadget reseal test - boot/modeenv: track unknown keys in Read and put back into modeenv during Write - interfaces/process-control: add sched_setattr to seccomp - boot: with unasserted kernels reseal if there's a hint modeenv changed - client: bump the default request timeout to 120s - configcore: do not error in console-conf.disable for install mode - boot: streamline bootstate20.go reseal and tests changes - boot: reseal when changing kernel - cmd/snap/model: specify grade in the model command output - tests: simplify repack_snapd_snap_with_deb_content_and_run_mode_first_boot_tweaks - test: improve logging in nested tests - nested: add support to telnet to serial port in nested VM - secboot: use the snapcore/secboot native recovery key type - tests/lib/nested.sh: use more focused cloud-init config for uc20 - tests/lib/nested.sh: wait for the tpm socket to exist - spread.yaml, tests/nested: misc changes - tests: add more checks to disk space awareness spread test - tests: disk space awareness spread test - boot: make MockUC20Device use a model and MockDevice more realistic - boot,many: reseal only when meaningful and necessary - tests/nested/core20/kernel-failover: add test for failed refresh of uc20 kernel - tests: fix nested to work with qemu and kvm - boot: reseal when updating boot assets - tests: fix snap-routime-portal-info test - boot: verify boot chain file in seal and reseal tests - tests: use full path to test-snapd-refresh.version binary - boot: store boot chains during install, helper for checking whether reseal is needed - boot: add call to reseal an existing key - boot: consider boot chains with unrevisioned kernels incomparable - overlord: assorted typos and miscellaneous changes - boot: group SealKeyModelParams by model, improve testing - secboot: adjust parameters to buildPCRProtectionProfile - strutil: add SortedListsUniqueMergefrom the doc comment: - snap/naming: upgrade TODO to TODO:UC20 - secboot: add call to reseal an existing key - boot: in seal.go adjust error message and function names - o/snapstate: check available disk space in RemoveMany - boot: build bootchains data for sealing - tests: remove "set -e" from function only shell libs - o/snapstate: disk space check on UpdateMany - o/snapstate: disk space check with snap update - snap: implement new `snap reboot` command - boot: do not reorder boot assets when generating predictable boot chains and other small tweaks - tests: some fixes and improvements for nested execution - tests/core/uc20-recovery: fix check for at least specific calls to mock-shutdown - boot: be consistent using bootloader.Role* consts instead of strings - boot: helper for generating secboot load chains from a given boot asset sequence - boot: tweak boot chains to support a list of kernel command lines, keep track of model and kernel boot file - boot,secboot: switch to expose and use snapcore/secboot load event trees - tests: use `nested_exec` in core{20,}-early-config test - devicestate: enable cloud-init on uc20 for grade signed and secured - boot: add "rootdir" to baseBootenvSuite and use in tests - tests/lib/cla_check.py: don't allow users.noreply.github.com commits to pass CLA - boot: represent boot chains, helpers for marshalling and equivalence checks - boot: mark successful with boot assets - client, api: handle insufficient space error - o/snapstate: disk space check with single snap install - configcore: "service.console-conf.disable" is gadget defaults only - packaging/opensuse: fix for /usr/libexec on TW, do not hardcode AppArmor profile path - tests: skip udp protocol in nfs-support test on ubuntu-20.10 - packaging/debian-sid: tweak code preparing _build tree - many: move seal code from gadget/install to boot - tests: remove workaround for cups on ubuntu-20.10 - client: implement RebootToSystem - many: seed.Model panics now if called before LoadAssertions - daemon: add /v2/systems "reboot" action API - github: run tests also on push to release branches - interfaces/bluez: let slot access audio streams - seed,c/snap-bootstrap: simplify snap-bootstrap seed reading with new seed.ReadSystemEssential - interfaces: allow snap-update-ns to read /proc/cmdline - tests: new organization for nested tests - o/snapstate, features: add feature flags for disk space awareness - tests: workaround for cups issue on 20.10 where default printer is not configured. - interfaces: update cups-control and add cups for providing snaps - boot: keep track of the original asset when observing updates - tests: simplify and fix tests for disk space checks on snap remove - sysconfig/cloudinit.go: add AllowCloudInit and use GadgetDir for cloud.conf - tests/main: mv core specific tests to core suite - tests/lib/nested.sh: reset the TPM when we create the uc20 vm - devicestate: rename "mockLogger" to "logbuf" - many: introduce ContentChange for tracking gadget content in observers - many: fix partion vs partition typo - bootloader: retrieve boot chains from bootloader - devicestate: add tests around logging in RequestSystemAction - boot: handle canceled update - bootloader: tweak doc comments (thanks Samuele) - seed/seedwriter: test local asserted snaps with UC20 grade signed - sysconfig/cloudinit.go: add DisableNoCloud to CloudInitRestrictOptions - many: use BootFile type in load sequences - boot,bootloader: clarifications after the changes to introduce bootloader.Options.Role - boot,bootloader,gadget: apply new bootloader.Options.Role - o/snapstate, features: add feature flag for disk space check on remove - testutil: add checkers for symbolic link target - many: refactor tpm seal parameter setting - boot/bootstate20: reboot to rollback to previous kernel - boot: add unit test helpers - boot: observe update & rollback of trusted assets - interfaces/utf: Add MIRKey to u2f devices - o/devicestate/devicestate_cloudinit_test.go: test cleanup for uc20 cloud-init tests - many: check that users of BaseTest don't forget to consume cleanups - tests/nested/core20/tpm: verify trusted boot assets tracking - github: run macOS job with Go 1.14 - many: misc doc-comment changes and typo fixes - o/snapstate: disk space check with InstallMany - many: cloud-init cleanups from previous PR's - tests: running tests on opensuse leap 15.2 - run-checks: check for dirty build tree too - vendor: run ./get-deps.sh to update the secboot hash - tests: update listing test for "-dirty" versions - overlord/devicestate: do not release the state lock when updating gadget assets - secboot: read kernel efi image from snap file - snap: add size to the random access file return interface - daemon: correctly parse Content-Type HTTP header. - tests: account for apt-get on core18 - cmd/snap-bootstrap/initramfs-mounts: compute string outside of loop - mkversion.sh: simple hack to include dirty in version if the tree is dirty - cgroup,snap: track hooks on system bus only - interfaces/systemd: compare dereferenced Service - run-checks: only check files in git for misspelling - osutil: add a package doc comment (via doc.go) - boot: complain about reused asset name during initial install - snapstate: installSize helper that calculates total size of snaps and their prerequisites - snapshots: export of snapshots - boot/initramfs_test.go: reset boot vars on the bootloader for each iteration- New upstream release 2.46.1 - interfaces: allow snap-update-ns to read /proc/cmdline - github: run macOS job with Go 1.14 - o/snapstate, features: add feature flag for disk space check on remove - tests: account for apt-get on core18 - mkversion.sh: include dirty in version if the tree is dirty - interfaces/systemd: compare dereferenced Service - vendor.json: update mysterious secboot SHA again- New upstream release 2.46 - logger: add support for setting snapd.debug=1 on kernel cmdline - o/snapstate: check disk space before creating automatic snapshot on remove - boot, o/devicestate: observe existing recovery bootloader trusted boot assets - many: use transient scope for tracking apps and hooks - features: add HiddenSnapFolder feature flag - tests/lib/nested.sh: fix partition typo, unmount the image on uc20 too - runinhibit: open the lock file in read-only mode in IsLocked - cmd/s-b/initramfs-mounts: make recover -> run mode transition automatic - tests: update spread test for unknown plug/slot with snapctl is- connected - osutil: add OpenExistingLockForReading - kernel: add kernel.Validate() - interfaces: add vcio interface - interfaces/{docker,kubernetes}-support: load overlay and support systemd cgroup driver - tests/lib/nested.sh: use more robust code for finding what loop dev we mounted - cmd/snap-update-ns: detach all bind-mounted file - snap/snapenv: set SNAP_REAL_HOME - packaging: umount /snap on purge in containers - interfaces: misc policy updates xlvi - secboot,cmd/snap-bootstrap: cross-check partitions before unlocking, mounting - boot: copy boot assets cache to new root - gadget,kernel: add new kernel.{Info,Asset} struct and helpers - o/hookstate/ctlcmd: make is-connected check whether the plug or slot exists - tests: find -ignore_readdir_race when scanning cgroups - interfaces/many: deny arbitrary desktop files and misc from /usr/share - tests: use "set -ex" in prep-snapd-in-lxd.sh - tests: re-enable udisks test on debian-sid - cmd/snapd-generator: use PATH fallback if PATH is not set - tests: disable udisks2 test on arch linux - github: use latest/stable go, not latest/edge - tests: remove support for ubuntu 19.10 from spread tests - tests: fix lxd test wrongly tracking 'latest' - secboot: document exported functions - cmd: compile snap gdbserver shim correctly - many: correctly calculate the desktop file prefix everywhere - interfaces: add kernel-crypto-api interface - corecfg: add "system.timezone" setting to the system settings - cmd/snapd-generator: generate drop-in to use fuse in container - cmd/snap-bootstrap/initramfs-mounts: tweak names, add comments from previous PR - interfaces/many: miscellaneous updates for strict microk8s - secboot,cmd/snap-bootstrap: don't import boot package from secboot - cmd/snap-bootstrap/initramfs-mounts: call systemd-mount instead of the-tool - tests: work around broken update of systemd-networkd - tests/main/install-fontconfig-cache-gen: enhance test by verifying, add fonts to test - o/devicestate: wrap asset update observer error - boot: refactor such that bootStateUpdate20 mainly carries Modeenv - mkversion.sh: disallow changelog versions that have git in it, if we also have git version - interfaces/many: miscellaneous updates for strict microk8s - snap: fix repeated "cannot list recovery system" and add test - boot: track trusted assets during initial install, assets cache - vendor: update secboot to fix key data validation - tests: unmount FUSE file-systems from XDG runtime dir - overlord/devicestate: workaround non-nil interface with nil struct - sandbox/cgroup: remove temporary workaround for multiple cgroup writers - sandbox/cgroup: detect dangling v2 cgroup - bootloader: add helper for creating a bootloader based on gadget - tests: support different images on nested execution - many: reorg cmd/snapinfo.go into snap and new client/clientutil - packaging/arch: use external linker when building statically - tests: cope with ghost cgroupv2 - tests: fix issues related to restarting systemd-logind.service - boot, o/devicestate: TrustedAssetUpdateObserver stubs, hook up to gadget updates - vendor: update github.com/kr/pretty to fix diffs of values with pointer cycles - boot: move bootloaderKernelState20 impls to separate file - .github/workflows: move snap building to test.yaml as separate cached job - tests/nested/manual/minimal-smoke: run core smoke tests in a VM meeting minimal requirements - osutil: add CommitAs to atomic file - gadget: introduce content update observer - bootloader: introduce TrustedAssetsBootloader, implement for grub - o/snapshotstate: helpers for calculating disk space needed for an automatic snapshot - gadget/install: retrieve command lines from bootloader - boot/bootstate20: unify commit method impls, rm bootState20MarkSuccessful - tests: add system information and image information when debug info is displayed - tests/main/cgroup-tracking: try to collect some information about cgroups - boot: introduce current_boot_assets and current_recovery_boot_assets to modeenv - tests: fix for timing issues on journal-state test - many: remove usage and creation of hijacked pid cgroup - tests: port regression-home-snap-root-owned to tests.session - tests: run as hightest via tests.session - github: run CLA checks on self-hosted workers - github: remove Ubuntu 19.10 from actions workflow - tests: remove End-Of-Life opensuse/fedora releases - tests: remove End-Of-Life releases from spread.yaml - tests: fix debug section of appstream-id test - interfaces: check !b.preseed earlier - tests: work around bug in systemd/debian - boot: add deepEqual, Copy helpers for Modeenv to simplify bootstate20 refactor - cmd: add new "snap recovery" command - interfaces/systemd: use emulation mode when preseeding - interfaces/kmod: don't load kernel modules in kmod backend when preseeding - interfaces/udev: do not reload udevadm rules when preseeding - cmd/snap-preseed: use snapd from the deb if newer than from seeds - boot: fancy marshaller for modeenv values - gadget, osutil: use atomic file copy, adjust tests - overlord: use new tracking cgroup for refresh app awareness - github: do not skip gofmt with Go 1.9/1.10 - many: introduce content write observer, install mode glue, initial seal stubs - daemon,many: switch to use client.ErrorKind and drop the local errorKind... - tests: new parameters for nested execution - client: move all error kinds into errors.go and add doc strings - cmd/snap: display the error in snap debug seeding if seeding is in error - cmd/snap/debug/seeding: use unicode for proper yaml - tests/cmd/snap-bootstrap/initramfs-mounts: add test case for empty recovery_mode - osutil/disks: add mock disk and tests for happy path of mock disks - tests: refresh/revert snapd in uc20 - osutil/disks: use a dedicated error to indicate a fs label wasn't found - interfaces/system-key: in WriteSystemKey during tests, don't call ParserFeatures - boot: add current recovery systems to modeenv - bootloader: extend managed assets bootloader interface to compose a candidate command line - interfaces: make the unmarshal test match more the comment - daemon/api: use pointers to time.Time for debug seeding aspect - o/ifacestate: update security profiles in connect undo handler - interfaces: add uinput interface - cmd/snap-bootstrap/initramfs-mounts: add doSystemdMount + unit tests - o/devicestate: save seeding/preseeding times for use with debug seeding api - cmd/snap/debug: add "snap debug seeding" command for preseeding debugging - tests/main/selinux-clean: workaround SELinux denials triggered by linger setup on Centos8 - bootloader: compose command line with mode and extra arguments - cmd/snap, daemon: detect and bail purge on multi-snap - o/ifacestate: fix bug in snapsWithSecurityProfiles - interfaces/builtin/multipass: replace U+00A0 no-break space with simple space - bootloader/assets: generate bootloader assets from files - many/tests/preseed: reset the preseeded images before preseeding them - tests: drop accidental accents from e - secboot: improve key sealing tests - tests: replace _wait_for_file_change with retry - tests: new fs-state which replaces the files.sh helper - sysconfig/cloudinit_test.go: add test for initramfs case, rm "/" from path - cmd/snap: track started apps and hooks - tests/main/interfaces-pulseaudio: disable start limit checking for pulseaudio service - api: seeding debug api - .github/workflows/snap-build.yaml: build the snapd snap via GH Actions too - tests: moving journalctl.sh to a new journal-state tool - tests/nested/manual: add spread tests for cloud-init vuln - bootloader/assets: helpers for registering per-edition snippets, register snippets for grub - data,packaging,wrappers: extend D-Bus service activation search path - spread: add opensuse 15.2 and tumbleweed for qemu - overlord,o/devicestate: restrict cloud-init on Ubuntu Core - sysconfig/cloudinit: add RestrictCloudInit - cmd/snap-preseed: check that target path exists and is a directory on --reset - tests: check for pids correctly - gadget,gadget/install: refactor partition table update - sysconfig/cloudinit: add CloudInitStatus func + CloudInitState type - interface/fwupd: add more policies for making fwupd upstream strict - tests: new to-one-line tool which replaces the strings.sh helper - interfaces: new helpers to get and compare system key, for use with seeding debug api - osutil, many: add helper for checking whether the process is a go test binary - cmd/snap-seccomp/syscalls: add faccessat2 - tests: adjust xdg-open after launcher changes - tests: new core config helper - usersession/userd: do not modify XDG_DATA_DIRS when calling xdg- open - cmd/snap-preseed: handle relative chroot path - snapshotstate: move sizer to osutil.Sizer() - tests/cmd/snap-bootstrap/initramfs-mounts: rm duplicated env ref kernel tests - gadget/install,secboot: use snapcore/secboot luks2 api - boot/initramfs_test.go: add Commentf to more Assert()'s - tests/lib: account for changes in arch package file name extension - bootloader/bootloadertest: fix comment typo - bootloader: add helper for getting recovery system environment variables - tests: preinstall shellcheck and run tests on focal - strutil: add a helper for parsing kernel command line - osutil: add CheckFreeSpace helper - secboot: update tpm connection error handling - packaging, cmd/snap-mgmt, tests: remove modules files on purge - tests: add tests.cleanup helper - packaging: add "ca-certificates" to build-depends - tests: more checks in core20 early config spread test - tests: fix some snapstate tests to use pointers for snapmgrTestSuite - boot: better naming of helpers for obtaining kernel command line - many: use more specific check for unit test mocking - systemd/escape: fix issues with "" and "\t" handling - asserts: small improvements and corrections for sequence-forming assertions' support - boot, bootloader: query kernel command line of run mod and recovery mode systems - snap/validate.go: disallow snap layouts with new top-level directories - tests: allow to add a new label to run nested tests as part of PR validation - tests/core/gadget-update-pc: port to UC20 - tests: improve nested tests flexibility - asserts: integer headers: disallow prefix zeros and make parsing more uniform - asserts: implement Database.FindSequence - asserts: introduce SequenceMemberAfter in the asserts backstores - spread.yaml: remove tests/lib/tools from PATH - overlord: refuse to install snaps whose activatable D-Bus services conflict with installed snaps - tests: shorten lxd-state undo-mount-changes - snap-confine: don't die if a device from sysfs path cannot be found by udev - tests: fix argument handling of apt-state - tests: rename lxd-tool to lxd-state - tests: rename user-tool to user-state, fix --help - interfaces: add gconf interface - sandbox/cgroup: avoid parsing security tags twice - tests: rename version-tool to version-compare - cmd/snap-update-ns: handle anomalies better - tests: fix call to apt.Package.mark_install(auto_inst=True) - tests: rename mountinfo-tool to mountinfo.query - tests: rename memory-tool to memory-observe-do - tests: rename invariant-tool to tests.invariant - tests: rename apt-tool to apt-state - many: managed boot config during run mode setup - asserts: introduce the concept of sequence-forming assertion types - tests: tweak comments/output in uc20-recovery test - tests/lib/pkgdb: do not use quiet when purging debs - interfaces/apparmor: allow snap-specific /run/lock - interfaces: add system-source-code for access to /usr/src - sandbox/cgroup: extend SnapNameFromPid with tracking cgroup data - gadget/install: move udev trigger to gadget/install - many: make nested spread tests more reliable - tests/core/uc20-recovery: apply hack to get gopath in recover mode w/ external backend - tests: enable tests on uc20 which now work with the real model assertion - tests: enable system-snap-refresh test on uc20 - gadget, bootloader: preserve managed boot assets during gadget updates - tests: fix leaked dbus-daemon in selinux-clean - tests: add servicestate.Control tests - tests: fix "restart.service" - wrappers: helper for enabling services - extract and move enabling of services into a helper - tests: new test to validate refresh and revert of kernel and gadget on uc20 - tests/lib/prepare-restore: collect debug info when prepare purge fails - bootloader: allow managed bootloader to update its boot config - tests: Remove unity test from nightly test suite - o/devicestate: set mark-seeded to done in the task itself - tests: add spread test for disconnect undo caused by failing disconnect hook - sandbox/cgroup: allow discovering PIDs of given snap - osutil/disks: support IsDecryptedDevice for mountpoints which are dm devices - osutil: detect autofs mounted in /home - spread.yaml: allow amazon-linux-2-64 qemu with ec2-user/ec2-user - usersession: support additional zoom URL schemes - overlord: mock timings.DurationThreshold in TestNewWithGoodState - sandbox/cgroup: add tracking helpers - tests: detect stray dbus-daemon - overlord: refuse to install snaps providing user daemons on Ubuntu 14.04 - many: move encryption and installer from snap-boostrap to gadget - o/ifacestate: fix connect undo handler - interfaces: optimize rules of multiple connected iio/i2c/spi plugs - bootloader: introduce managed bootloader, implement for grub - tests: fix incorrect check in smoke/remove test - asserts,seed: split handling of essential/not essential model snaps - gadget: fix typo in mounted filesystem updater - gadget: do only one mount point lookup in mounted fs updater - tests/core/snap-auto-mount: try to make the test more robust - tests: adding ubuntu-20.04 to google-sru backend - o/servicestate: add updateSnapstateServices helper - bootloader: pull recovery grub config from internal assets - tests/lib/tools: apply linger workaround when needed - overlord/snapstate: graceful handling of denied "managed" refresh schedule - snapstate: fix autorefresh from classic->strict - overlord/configstate: add system.kernel.printk.console-loglevel option - tests: fix assertion disk handling for nested UC systems - snapstate: use testutil.HostScaledTimeout() in snapstate tests - tests: extra worker for google-nested backend to avoid timeout error on uc20 - snapdtool: helper to check whether the current binary is reexeced from a snap - tests: mock servicestate in api tests to avoid systemctl checks - many: rename back snap.Info.GetType to Type - tests/lib/cla_check: expect explicit commit range - osutil/disks: refactor diskFromMountPointImpl a bit - o/snapstate: service-control task handler - osutil: add disks pkg for associating mountpoints with disks/partitions - gadget,cmd/snap-bootstrap: move partitioning to gadget - seed: fix LoadEssentialMeta when gadget is not loaded - cmd/snap: Debian does not allow $SNAP_MOUNT_DIR/bin in sudo secure_path - asserts: introduce new assertion validation-set - asserts,daemon: add support for "serials" field in system-user assertion - data/sudo: drop a failed sudo secure_path workaround - gadget: mv encodeLabel to osutil/disks.EncodeHexBlkIDFormat - boot, snap-bootstrap: move initramfs-mounts logic to boot pkg - spread.yaml: update secure boot attribute name - interfaces/block_devices: add NVMe subsystem devices, support multipath paths - tests: use the "jq" snap from the edge channel - tests: simplify the tpm test by removing the test-snapd-mokutil snap - boot/bootstate16.go: clean snap_try_* vars when not in Trying status too - tests/main/sudo-env: check snap path under sudo - tests/main/lxd: add test for snaps inside nested lxd containers not working - asserts/internal: expand errors about invalid serialized grouping labels - usersession/userd: add msteams url support - tests/lib/prepare.sh: adjust comment about sgdisk - tests: fix how gadget pc is detected when the snap does not exist and ls fails - tests: move a few more tests to snapstate_update_test.go - tests/main: add spread test for running svc from install hook - tests/lib/prepare: increase the size of the uc16/uc18 partitions - tests/special-home-can-run-classic-snaps: re-enable - workflow: test PR title as part of the static checks again - tests/main/xdg-open-compat: backup and restore original xdg-open - tests: move update-related tests to snapstate_update_test.go - cmd,many: move Version and bits related to snapd tools to snapdtool, merge cmdutil - tests/prepare-restore.sh: reset-failed systemd-journald before restarting - interfaces: misc small interface updates - spread: use find rather than recursive ls, skip mounted snaps - tests/lib/prepare-restore.sh: if we failed to purge snapd deb, ls /var/lib/snapd - tests: enable snap-auto-mount test on core20 - cmd/snap: do not show $PATH warning when executing under sudo on a known distro - asserts/internal: add some iteration benchmarks - sandbox/cgroup: improve pid parsing code - snap: add new `snap run --experimental-gdbserver` option - asserts/internal: limit Grouping size switching to a bitset representationWe don't always use the bit-set representation because: - snap: add an activates-on property to apps for D-Bus activation - dirs: delete unused Cloud var, fix typo - sysconfig/cloudinit: make callers of DisableCloudInit use WritableDefaultsDir - tests: fix classic ubuntu core transition auth - tests: fail in setup_reflash_magic() if there is snapd state left - tests: port interfaces-many-core-provided to tests.session - tests: wait after creating partitions with sfdisk - bootloader: introduce bootloarder assets, import grub.cfg with an edition marker - riscv64: bump timeouts - gadget: drop dead code, hide exports that are not used externally - tests: port 2 uc20 part1 - tests: fix bug waiting for snap command to be ready - tests: move try-related tests to snapstate_try_test.go - tests: add debug for 20.04 prepare failure - travis.yml: removed, all our checks run in GH actions now - tests: clean up up the use of configcoreSuite in the configcore tests - sandbox/cgroup: remove redundant pathOfProcPidCgroup - sandbox/cgroup: add tests for ParsePids - tests: fix the basic20 test for uc20 on external backend - tests: use configcoreSuite in journalSuite and remove some duplicated code - tests: move a few more tests to snapstate_install_test - tests: assorted small patches - dbusutil/dbustest: separate license from package - interfaces/builtin/time-control: allow POSIX clock API - usersession/userd: add "slack" to the white list of URL schemes handled by xdg-open - tests: check that host settings like hostname are settable on core - tests: port xdg-settings test to tests.session - tests: port snap-handle-link test to tests.session - arch: add riscv64 - tests: core20 early defaults spread test - tests: move install tests from snapstate_test.go to snapstate_install_test.go - github: port macOS sanity checks from travis - data/selinux: allow checking /var/cache/app-info - o/devicestate: core20 early config from gadget defaults - tests: autoremove after removing lxd in preseed-lxd test - secboot,cmd/snap-bootstrap: add tpm sealing support to secboot - sandbox/cgroup: move FreezerCgroupDir from dirs.go - tests: update the file used to detect the boot path on uc20 - spread.yaml: show /var/lib/snapd in debug - cmd/snap-bootstrap/initramfs-mounts: also copy systemd clock + netplan files - snap/naming: add helpers to parse app and hook security tags - tests: modernize retry tool - tests: fix and trim debug section in xdg-open-portal - tests: modernize and use snapd.tool - vendor: update to latest github.com/snapcore/bolt for riscv64 - cmd/snap-confine: add support for libc6-lse - interfaces: miscellaneous policy updates xlv - interfaces/system-packages-doc: fix typo in variable names - tests: port interfaces-calendar-service to tests.session - tests: install/run the lzo test snap too - snap: (small) refactor of `snap download` code for testing/extending - data: fix shellcheck warnings in snapd.sh.in - packaging: disable buildmode=pie for riscv64 - tests: install test-snapd-rsync snap from edge channel - tests: modernize tests.session and port everything using it - tests: add ubuntu 20.10 to spread tests - cmd/snap/remove: mention snap restore/automatic snapshots - dbusutil: move all D-Bus helpers and D-Bus test helpers - wrappers: pass 'disable' flag to StopServices wrapper - osutil: enable riscv64 build - snap/naming: add ParseSecurityTag and friends - tests: port document-portal-activation to session-tool - bootloader: rename test helpers to reflect we are mocking EFI boot locations - tests: disable test of nfs v3 with udp proto on debian-sid - tests: plan to improve the naming and uniformity of utilities - tests: move *-tool tests to their own suite - snap-bootstrap: remove sealed key file on reinstall - bootloader/ubootenv: don't panic with an empty uboot env - systemd: rename actualFsTypeAndMountOptions to hostFsTypeAndMountOptions - daemon: fix filtering of service-control changes for snap.app - tests: spread test for preseeding in lxd container - tests: fix broken snapd.session agent.socket - wrappers: add RestartServices function and ReloadOrRestart to systemd - o/cmdstate: handle ignore flag on exec-command tasks - gadget: make ext4 filesystems with or without metadata checksum - tests: update statx test to run on all LTS releases - configcore: show better error when disabling services - interfaces: add hugepages-control - interfaces-ssh-keys: Support reading /etc/ssh/ssh_config.d/ - tests: run ubuntu-20.04-* tests on all ubuntu-2* releases - tests: skip interfaces-openvswitch for centos 8 in nightly suite - tests: reload systemd --user for root, if present - tests: reload systemd after editing /etc/fstab - tests: add missing dependencies needed for sbuild test on debian - tests: reload systemd after removing pulseaudio - image, tests: core18 early config. - interfaces: add system-packages-doc interface - cmd/snap-preseed, systemd: fix handling of fuse.squashfuse when preseeding - interfaces/fwupd: allow bind mount to /boot on core - tests: improve oom-vitality tests - tests: add fedora 32 to spread.yaml - config: apply vitality-hint immediately when the config changes - tests: port snap-routine-portal-info to session-tool - configcore: add "service.console-conf.disable" config option - tests: port xdg-open to session-tool - tests: port xdg-open-compat to session-tool - tests: port interfaces-desktop-* to session-tool - spread.yaml: apply yaml formatter/linter - tests: port interfaces-wayland to session-tool - o/devicestate: refactor current system handling - snap-mgmt: perform cleanup of user services - snap/snapfile,squashfs: followups from 8729 - boot, many: require mode in modeenv - data/selinux: update policy to allow forked processes to call getpw*() - tests: log stderr from dbus-monitor - packaging: build cmd/snap and cmd/snap-bootstrap with nomanagers tag - snap/squashfs: also symlink snap Install with uc20 seed snap dir layout - interfaces/builtin/desktop: do not mount fonts cache on distros with quirks - data/selinux: allow snapd to remove/create the its socket - testutil/exec.go: set PATH after running shellcheck - tests: silence stderr from dbus-monitor - snap,many: mv Open to snapfile pkg to support add'l options to Container methods - devicestate, sysconfig: revert support for cloud.cfg.d/ in the gadget - github: remove workaround for bug 133 in actions/cache - tests: remove dbus.sh - cmd/snap-preseed: improve mountpoint checks of the preseeded chroot - spread.yaml: add ps aux to debug section - github: run all spread systems in a single go with cached results - test: session-tool cli tweaks - asserts: rest of the Pool API - tests: port interfaces-network-status-classic to session-tool - packaging: remove obsolete 16.10,17.04 symlinks - tests: setup portals before starting user session - o/devicestate: typo fix - interfaces/serial-port: add NXP SC16IS7xx (ttySCX) to allowed devices - cmd/snap/model: support store, system-user-authority keys in --verbose - o/devicestate: raise conflict when requesting system action while seeding - tests: detect signs of crashed snap-confine - tests: sign kernel and gadget to run nested tests using current snapd code - tests: remove gnome-online-accounts we install - tests: fix the issue where all the tests were executed on secboot system - tests: port interfaces-accounts-service to session-tool - interfaces/network-control: bring /var/lib/dhcp from host - image,cmd/snap,tests: add support for store-wide cohort keys - configcore: add nomanagers buildtag for conditional build - tests: port interfaces-password-manager-service to session-tool - o/devicestate: cleanup system actions supported by recover mode - snap-bootstrap: remove create-partitions and update tests - tests: fix nested tests - packaging/arch: update PKGBUILD to match one in AUR - tests: port interfaces-location-control to session-tool - tests: port interfaces-contacts-service to session-tool - state: log task errors in the journal too - o/devicestate: change how current system is reported for different modes - devicestate: do not report "ErrNoState" for seeded up - tests: add a note about broken test sequence - tests: port interfaces-autopilot-introspection to session-tool - tests: port interfaces-dbus to session-tool - packaging: update sid packaging to match 16.04+ - tests: enable degraded test on uc20 - c/snaplock/runinhibit: add run inhibition operations - tests: detect and report root-owned files in /home - tests: reload root's systemd --user after snapd tests - tests: test registration with serial-authority: [generic] - cmd/snap-bootstrap/initramfs-mounts: copy auth.json and macaroon- key in recover - tests/mount-ns: stop binfmt_misc mount unit - cmd/snap-bootstrap/initramfs-mounts: use booted kernel partition uuid if available - daemon, tests: indicate system mode, test switching to recovery and back to run - interfaces/desktop: silence more /var/lib/snapd/desktop/icons denials - tests/mount-ns: update to reflect new UEFI boot mode - usersession,tests: clean ups for userd/settings.go and move xdgopenproxy under usersession - tests: disable mount-ns test - tests: test user belongs to systemd-journald, on core20 - tests: run core/snap-set-core-config on uc20 too - tests: remove generated session-agent units - sysconfig: use new _writable_defaults dir to create cloud config - cmd/snap-bootstrap/initramfs-mounts: cosmetic changes in prep for future work - asserts: make clearer that with label we mean a serialized label - cmd/snap-bootstrap: tweak recovery trigger log messages - asserts: introduce PoolTo - userd: allow setting default-url-scheme-handler - secboot: append uuid to ubuntu-data when decrypting - o/configcore: pass extra options to FileSystemOnlyApply - tests: add dbus-user-session to bionic and reorder package names - boot, bootloader: adjust comments, expand tests - tests: improve debugging of user session agent tests - packaging: add the inhibit directory - many: add core.resiliance.vitality-hint config setting - tests: test adjustments and fixes for recently published images - cmd/snap: coldplug auto-import assertions from all removable devices - secboot,cmd/snap-bootstrap: move initramfs-mounts tpm access to secboot - tests: not fail when boot dir cannot be determined - tests: new directory used to store the cloud images on gce - tests: inject snapd from edge into seeds of the image in manual preseed test - usersession/agent,wrappers: fix races between Shutdown and Serve - tests: add dependency needed for next upgrade of bionic - tests: new test user is used for external backend - cmd/snap: fix the order of positional parameters in help output - tests: don't create root-owned things in ~test - tests/lib/prepare.sh: delete patching of the initrd - cmd/snap-bootstrap/initramfs-mounts: add sudoers to dirs to copy as well - progress: tweak multibyte label unit test data - o/devicestate,cmd/snap-bootstrap: seal to recover mode cmdline - gadget: fix fallback device lookup for 'mbr' type structures - configcore: only reload journald if systemd is new enough - cmd/snap-boostrap, boot: use /run/mnt/data instead of ubuntu-data - wrappers: allow user mode systemd daemons - progress: fix progress bar with multibyte duration units - tests: fix raciness in pulseaudio test - asserts/internal: introduce Grouping and Groupings - tests: remove user.sh - tests: pair of follow-ups from earlier reviews - overlord/snapstate: warn of refresh/postpone events - configcore,tests: use daemon-reexec to apply watchdog config - c/snap-bootstrap: check mount states via initramfsMountStates - store: implement DownloadAssertions - tests: run smoke test with different bases - tests: port user-mounts test to session-tool - store: handle error-list in fetch-assertions results - tests: port interfaces-audio-playback-record to session-tool - data/completion: add `snap` command completion for zsh - tests/degraded: ignore failure in systemd-vconsole-setup.service - image: stub implementation of image.Prepare for darwin - tests: session-tool --restore -u stops user-$UID.slice - o/ifacestate/handlers.go: fix typo - tests: port pulseaudio test to session-tool - tests: port user-session-env to session-tool - tests: work around journald bug in core16 - tests: add debug to core-persistent-journal test - tests: port selinux-clean to session-tool - tests: port portals test to session-tool, fix portal tests on sid - tests: adding option --no-install-recommends option also when install all the deps - tests: add session-tool --has-systemd-and-dbus - packaging/debian-sid: add gcc-multilib to build deps - osutil: expand FileLock to support shared locks and more - packaging: stop depending on python-docutils - store,asserts,many: support the new action fetch-assertions - tests: port snap-session-agent-* to session-tool - packaging/fedora: disable FIPS compliant crypto for static binaries - tests: fix for preseeding failures- Release 2.45.3.1 to Fedora (RHBZ#1861024) - Fix FTBFS in Rawhide (RHBZ#1865496)- Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild- New upstream release, LP: #1875071 - o/ifacestate: fix bug in snapsWithSecurityProfiles - tests/main/selinux-clean: workaround SELinux denials triggered by linger setup on Centos8- New upstream release, LP: #1875071 - many: backport _writable_defaults dir changes - tests: fix incorrect check in smoke/remove test - cmd/snap-bootstrap,seed: backport of uc20 PRs - tests: avoid exit when nested type var is not defined - cmd/snap-preseed: backport fixes - interfaces: optimize rules of multiple connected iio/i2c/spi plugs - many: cherry-picks for 2.45, gh-action, test fixes - tests/lib: account for changes in arch package file name extension - postrm, snap-mgmt: cleanup modules and other cherry-picks - snap-confine: don't die if a device from sysfs path cannot be found by udev - data/selinux: update policy to allow forked processes to call getpw*() - tests/main/interfaces-time-control: exercise setting time via date - interfaces/builtin/time-control: allow POSIX clock API - usersession/userd: add "slack" to the white list of URL schemes handled by xdg-open- release 2.45.2 to Fedora- New upstream release 2.45.2 - SECURITY UPDATE: sandbox escape vulnerability on snapctl xdg-open implementation - usersession/userd/launcher.go: remove XDG_DATA_DIRS environment variable modification when calling the system xdg-open. Patch thanks to James Henstridge - packaging/ubuntu-16.04/snapd.postinst: ensure "snap userd" is restarted. Patch thanks to Michael Vogt - CVE-2020-11934 - SECURITY UPDATE: arbitrary code execution vulnerability on core devices with access to physical removable media - devicestate: Disable/restrict cloud-init after seeding. - CVE-2020-11933- Release 2.45.1 to Fedora (RHBZ#1844628) - Drop cherry-picked patches that are part of the release- New upstream release 2.45.1 - data/selinux: allow checking /var/cache/app-info - cmd/snap-confine: add support for libc6-lse - interfaces: miscellanious policy updates xlv - snap-bootstrap: remove sealed key file on reinstall - interfaces-ssh-keys: Support reading /etc/ssh/ssh_config.d/ - gadget: make ext4 filesystems with or without metadata checksum - interfaces/fwupd: allow bind mount to /boot on core - tests: cherry-pick test fixes from master - snap/squashfs: also symlink snap Install with uc20 seed snap dir layout - interfaces/serial-port: add NXP SC16IS7xx (ttySCX) to allowed devices - snap,many: mv Open to snapfile pkg to support add'l options to Container methods - interfaces/builtin/desktop: do not mount fonts cache on distros with quirks - devicestate, sysconfig: revert support for cloud.cfg.d/ in the gadget - data/completion, packaging: cherry-pick zsh completion - state: log task errors in the journal too - devicestate: do not report "ErrNoState" for seeded up - interfaces/desktop: silence more /var/lib/snapd/desktop/icons denials - packaging/fedora: disable FIPS compliant crypto for static binaries - packaging: stop depending on python-docutils- Release 2.45 to Fedora (RHBZ#1814552) - Cherry pick zsh completion patch - Cherry pick patch disabling fontconfig system cache sharing due to known incompatibilities - Drop sudoers config (RHBZ#1691996)- New upstream release 2.45 - o/devicestate: support doing system action reboots from recover mode - vendor: update to latest secboot - tests: not fail when boot dir cannot be determined - configcore: only reload journald if systemd is new enough - cmd/snap-bootstrap/initramfs-mounts: append uuid to ubuntu-data when decrypting - tests/lib/prepare.sh: delete patching of the initrd - cmd/snap: coldplug auto-import assertions from all removable devices - cmd/snap: fix the order of positional parameters in help output - c/snap-bootstrap: port mount state mocking to the new style on master - cmd/snap-bootstrap/initramfs-mounts: add sudoers to dirs to copy as well - o/devicestate,cmd/snap-bootstrap: seal to recover mode cmdline, unlock in recover mode initramfs - progress: tweak multibyte label unit test data - gadget: fix fallback device lookup for 'mbr' type structures - progress: fix progress bar with multibyte duration units - many: use /run/mnt/data over /run/mnt/ubuntu-data for uc20 - many: put the sealed keys in a directory on seed for tidiness - cmd/snap-bootstrap: measure epoch and model before unlocking encrypted data - o/configstate: core config handler for persistent journal - bootloader/uboot: use secondary ubootenv file boot.sel for uc20 - packaging: add "$TAGS" to dh_auto_test for debian packaging - tests: ensure $cache_dir is actually available - secboot,cmd/snap-bootstrap: add model to pcr protection profile - devicestate: do not use snap-boostrap in devicestate to install - tests: fix a typo in nested.sh helper - devicestate: add support for cloud.cfg.d config from the gadget - cmd/snap-bootstrap: cleanups, naming tweaks - testutil: add NewDBusTestConn - snap-bootstrap: lock access to sealed keys - overlord/devicestate: preserve the current model inside ubuntu- boot - interfaces/apparmor: use differently templated policy for non-core bases - seccomp: add get_tls, io_pg* and *time64/*64 variants for existing syscalls - cmd/snap-bootstrap/initramfs-mounts: mount ubuntu-seed first, other misc changes - o/snapstate: tweak "waiting for restart" message - boot: store model model and grade information in modeenv - interfaces/firewall-control: allow -legacy and -nft for core20 - boot: enable makeBootable20RunMode for EnvRefExtractedKernel bootloaders - boot/bootstate20: add EnvRefExtractedKernelBootloader bootstate20 implementation - daemon: fix error message from `snap remove-user foo` on classic - overlord: have a variant of Mock that can take a state.State - tests: 16.04 and 18.04 now have mediating pulseaudio (again) - seed: clearer errors for missing essential snapd or core snap - cmd/snap-bootstrap/initramfs-mounts: support EnvRefExtractedKernelBootloader's - gadget, cmd/snap-bootstrap: MBR schema support - image: improve/adjust DownloadSnap doc comment - asserts: introduce ModelGrade.Code - tests: ignore user-12345 slice and service - image,seed/seedwriter: support redirect channel aka default tracks - bootloader: use binary.Read/Write - tests: uc20 nested suite part II - tests/boot: refactor to make it easier for new bootloaderKernelState20 impl - interfaces/openvswitch: support use of ovs-appctl - snap-bootstrap: copy auth data from real ubuntu-data in recovery mode - snap-bootstrap: seal and unseal encryption key using tpm - tests: disable special-home-can-run-classic-snaps due to jenkins repo issue - packaging: fix build on Centos8 to support BUILDTAGS - boot/bootstate20: small changes to bootloaderKernelState20 - cmd/snap: Implement a "snap routine file-access" command - spread.yaml: switch back to latest/candidate for lxd snap - boot/bootstate20: re-factor kernel methods to use new interface for state - spread.yaml,tests/many: use global env var for lxd channel - boot/bootstate20: fix bug in try-kernel cleanup - config: add system.store-certs.[a-zA-Z0-9] support - secboot: key sealing also depends on secure boot enabled - httputil: fix client timeout retry tests - cmd/snap-update-ns: handle EBUSY when unlinking files - cmd/snap/debug/boot-vars: add opts for setting dir and/or uc20 vars - secboot: add tpm support helpers - tests/lib/assertions/developer1-pi-uc20.model: use 20/edge for kernel and gadget - cmd/snap-bootstrap: switch to a 64-byte key for unlocking - tests: preserve size for centos images on spread.yaml - github: partition the github action workflows - run-checks: use consistent "Checking ..." style messages - bootloader: add efi pkg for reading efi variables - data/systemd: do not run snapd.system-shutdown if finalrd is available - overlord: update tests to work with latest go - cmd/snap: do not hide debug boot-vars on core - cmd/snap-bootstrap: no error when not input devices are found - snap-bootstrap: fix partition numbering in create-partitions - httputil/client_test.go: add two TLS version tests - tests: ignore user@12345.service hierarchy - bootloader, gadget, cmd/snap-bootstrap: misc cosmetic things - tests: rewrite timeserver-control test - tests: fix racy pulseaudio tests - many: fix loading apparmor profiles on Ubuntu 20.04 with ZFS - tests: update snap-preseed --reset logic to accommodate for 2.44 change - cmd/snap: don't wait for system key when stopping - sandbox/cgroup: avoid making arrays we don't use - osutil: mock proc/self/mountinfo properly everywhere - selinux: export MockIsEnforcing; systemd: use in tests - tests: add 32 bit machine to GH actions - tests/session-tool: kill cron session, if any - asserts: it should be possible to omit many snap-ids if allowed, fix - boot: cleanup more things, simplify code - github: skip spread jobs when corresponding label is set - dirs: don't depend on osutil anymore, mv apparmor vars to apparmor pkg - tests/session-tool: add session-tool --dump - github: allow cached debian downloads to restore - tests/session-tool: session ordering is non-deterministic - tests: enable unit tests on debian-sid again - github: move spread to self-hosted workers - secboot: import secboot on ubuntu, provide dummy on !ubuntu - overlord/devicestate: support for recover and run modes - snap/naming: add validator for snap security tag - interfaces: add case for rootWritableOverlay + NFS - tests/main/uc20-create-partitions: tweaks, renames, switch to 20.04 - github: port CLA check to Github Actions - interfaces/many: miscellaneous policy updates xliv - configcore,tests: fix setting watchdog options on UC18/20 - tests/session-tool: collect information about services on startup - tests/main/uc20-snap-recovery: unbreak, rename to uc20-create- partitions - state: add state.CopyState() helper - tests/session-tool: stop anacron.service in prepare - interfaces: don't use the owner modifier for files shared via document portal - systemd: move the doc comments to the interface so they are visible - cmd/snap-recovery-chooser: tweaks - interfaces/docker-support: add overlayfs file access - packaging: use debian/not-installed to ignore snap-preseed - travis.yml: disable unit tests on travis - store: start splitting store.go and store_test.go into subtopic files - tests/session-tool: stop cron/anacron from meddling - github: disable fail-fast as spread cannot be interrupted - github: move static checks and spread over - tests: skip "/etc/machine-id" in "writablepaths" test - snap-bootstrap: store encrypted partition recovery key - httputil: increase testRetryStrategy max timelimit to 5s - tests/session-tool: kill leaking closing session - interfaces: allow raw access to USB printers - tests/session-tool: reset failed session-tool units - httputil: increase httpclient timeout in TestRetryRequestTimeoutHandling - usersession: extend timerange in TestExitOnIdle - client: increase timeout in client tests to 100ms - many: disentagle release and snapdenv from sandbox/* - boot: simplify modeenv mocking to always write a modeenv - snap-bootstrap: expand data partition on install - o/configstate: add backlight option for core config - cmd/snap-recovery-chooser: add recovery chooser - features: enable robust mount ns updates - snap: improve TestWaitRecovers test - sandbox/cgroup: add ProcessPathInTrackingCgroup - interfaces/policy: fix comment in recent new test - tests: make session tool way more robust - interfaces/seccomp: allow passing an address to setgroups - o/configcore: introduce core config handlers (3/N) - interfaces: updates to login-session-observe, network-manager and modem-manager interfaces - interfaces/policy/policy_test.go: add more tests'allow- installation: false' and we grant based on interface attributes - packaging: detect/disable broken seed in the postinst - cmd/snap-confine/mount-support-nvidia.c: add libnvoptix as nvidia library - tests: remove google-tpm backend from spread.yaml - tests: install dependencies with apt using --no-install-recommends - usersession/userd: add zoommtg url support - snap-bootstrap: fix disk layout sanity check - snap: add `snap debug state --is-seeded` helper - devicestate: generate warning if seeding fails - config, features: move and rename config.GetFeatureFlag helper to features.Flag - boot, overlord/devicestate, daemon: implement requesting boot into a given recovery system - xdgopenproxy: forward requests to the desktop portal - many: support immediate reboot - store: search v2 tweaks - tests: fix cross build tests when installing dependencies - daemon: make POST /v2/systems/

ZACB,gt:s͈/kr(%?}' S쾹gh&cc߼0߮>1Yx 2B;욜O!.>A<7 &\l0ne1 x%.3w !ioHO琷J]eڧAT3KrL*;5@M~sj y:/+Jg,}!?C%&udlK%6*Aɜ>YڤO`[W&,xY~yõ` {_`k,P8_Z> ɵGsfh]:iwXp'8ni`pT;%|,|x)m}\Q&/w9F|ކ`JތN'./=/8=tn&~OcOSz|!g0,<+|'Z4Us(*AȈ<7B.hl=b0|<^7[l=kâ%-@)av0Bw ݝCK!QP^7k"eX WUqr ]9 ԺIlw .-1*sO$t9B!mw4PYɲ.+k  ĥu)^ʂ`d|b!Cttx ,wy*Qkc t^\m7 p P: C䔥?<AzT/hɜJre~c},%2|m$W2p_4| 0:LD JY CVh>Zf;5=!e6QG>> [ؖfh -!P>6^yyx쑖 WsosqA tH}}îY@8[4 ۙ9*#ܝ|e,;P l >C\>1X' [.`nֻ8~3gZ2U}~C xt'fZPP!C'W\pY)~aQag޿h6=o[¥yGY.Yx1eBXL5>zjNtb!wmz~=$& J}`0F=/H6,qk>26݄_['$]D1o64`Qza!yu0kXp\cij ڜRqA(nwA"K rb #{FIcD{T:h2\jW~(^&T=aP&ѬZ%kK:18Ud`DʀꆰfpcA=NɑٳUQIF GM^Ӱ4o6Ech.2K-~O_ ck`i(&jDo<Y9j{{IVxwוŹO#]>O36|=[Ju+zXbtR.͊O){Jl }fֲWGx蝢/6 "[WPgh(7A=nm YsԢT\ }Y)#]Ʋji OLr IU7 AN%n£ # :6k8)U(_(?z#mP0VB3}$8]FdX qr!ۙI$ \\{%RkVy CǂE A35UڝPfVCp*HIE°$+v3x 0>l֊Q[ϯ(Q/S?0&reMnwT?G+ǃzRc6}x;{ndI6ؖ 1--XUR2O)FHptJbe脗@4>@b'f'E*̕.AAj G0X,5)n~\DyUbaZx43m5g|1`Kη%)<ܢ ċ4EqVDgҕ!֫xn;|`Yl=v*j:$MrSC%P4}`P[j xk-eXf`tr]_Nv/v-J R3&swU+i]d P;0ė3n"=Ų. 6/k 00.DxfYʵŚRh ~40ӊHh^kY D_HNqǴv /a€jpa& WiS*Nw wIu\, n]n]/w7"9 OF/QicjM08Ueɯu^ $}$(Z,s2 PaPb&̿.EY8msPE[ J2쓩\=*Z,ϕ( .?9S_●(fÿSw,lg%I$Guwv{9:ETeHk}2@ŀ %n)nRժEd (ۘ^=1EW0cPVA_+EQ߀q4`Уb늞d7TMf7Ƞf3Vvl7\x?T1=:6) @O.?F; \m|T[=6\?)*LqfRHƎ J޻@Kx"d}NQ-["W ub]U=M!3[ѵ凞bfAw]R*v>tn˲<`U.i;ӌl Nv[(n8?l!Ol{u*0ĠpWp IQfOm9P^*D-"\~//85[HoXP+Q>4a(} 3>Ȥ@ㅔc][ z  I8Qz#H"Q5TB#DһEڃn)u@u&!7 QѲ0-u6/ŠȖrDU;dD(7zC8v_@~~ٻAO#wV;IIpQetvgܭ\}0[k'WzRP1\gz+Jn?ėhA1uc!8jN2 pTV.?0Nc=k+`UUJR`kݭ1܍ o◱K[pi*{̙B.W7x8qͪ>Qȃ٘RO+W }W%cds4)O~VLgrd]~&W|*ΐy2 qScXzYjj}%I?F!KUjdȡ'J6eTPX%<Ֆ˦h}$~]^o)czPtߜYy7|:n[)>~~6O&)5Hw^3&[e!w|ɱ ?X+YYJVs[. |%qY4{Xsqϵ#rsC?2U&^40~A,Y@!=OAc Mb(ҝq?xɯ ˥I0C5U0M]ھNLK;רO)Aa +Փ>KG>.rs Kt6Bc8:s xVI>soyR1Y^ Rh}e^m q2Шx5=,%@\'*|VU ;0&+.l:j%?b+wPK,w5!?rGi ::SAE!ΤD6>ǿeQ*w@$t2h}p33[ssޑ{( ͥ"wߒe"Ёsqӱ!3%Q `?#kDpzn=rsiF42x.;\B8%pTH] nxrw=).X!E"A ~-4YEd]R(9~ vIHAM݅SɎjd$?qK"Z Q,iRѡ! D2kETqCXs}\XM:(G5w}E#a?a~|0pE4U:865 wdCO#W-WdD# Y|RnZdVe.~k &~z麤GS7:O&v6z&e̼n-X72d;dzDخ2o]$MT7uI~"(ئaI>Qz4*1ܰ!>o)5WJ4#(:b_^xz&4D3+lAqIfK}f=;~b.a5eo_C`Ʒ0&}[+bJYb 4 p͐S Z](0_Rz:+X9#V+1w`.?AG&zkAߊ g$7>Z/߹sqfOs lVxG>P]m9-vlTmNq G~aOLv04$Sgn!]*'܇{+F*mB-Ck Vxʣ*]!|;Jt_ 5a2%<C̥>6@f_]-V(0Zv{c3ϹHb]ӔGy)v4CAg=`FB,NOv=?5*XǏ=U|U3pܟrމ8>.@Xڦ^ 1d ow Di_X#tubYPjیBu~ &WATD`ቜ(-(Dm^3cÒbMŽrVawwFIFM }W Ē)&zU=K)8U+#Xv7}x(8;vyp.͌X8՟çcOظ2#zih*Xx:H W(o=7󭩑*ǥw;B:~0 Nskc쵟D&|8?ZsF˵!x | %8Pt*-N+/a(<8fR,hSpvBOߋ zG,0է +3HEek8עB?xsbEHLI\*ci  ڴ@7XnU;qeJ$ܬLLj2u龟neVTh;0 Hi9Yv6^[~'?u!@nX#s4ꍈjvin󫸪K. ]xI#L.b sa(b'@ë+>2xh^nBC4$Ʌ "K_"l PCJ}J_D> f Ҏ2S}3#T9R 9̱\eM̛mJ>b ͘[ԃQ\·)dziBfKX}@ ԉ?tp-X( JVO EGYUTnꮂ+cŒY?jyIbA 9OZؽC,\>tOMkJ8 .Iu\ai?xW,"8WzXQSfnQt؀̕^{bg9G02 (9p\5_Jj(x)$p N&&܇ Ww.j.`<4Q_݂zlv7Qʖ(tzy07.ϾyZ8$ߌ#ֹvK$_WZDHM'T)|Y؍j)@sUVW2/SxQp"[ 9@O?7m n: ܉Ls);دcƟ/s@-/\iP[.CTg~{O[ кcL| bx+ۚ=[ /Z>` JyDL(I31a #G 6C.gx?jsn_N%zgo-Z<(\Gh}& &VO`S> tLThMS f귲$ |Ciж48xGU;vꡓ"j@A)oL*2iZ R>8oJ4'55ކ TH{We砷A#eNlkݺ}Pt#o~FQ 0[A;q^Pޚ"C~v`p~m1'6NWL`PCA j'M`av8B^iN#f aƂ:2K,'Wu^df69 'ЀާEQ^3nc}a y᪢fp/2Ӷ%N\n?^v[%3#<3^scꖆגz#՘\w- <$9Th-+4 % T> EdcK=Cٓ) 9 2œN^L}*FÎ;DdGr16r8'ҩj+tg$ژV䚕v |J<g=-]s*bV@Z|t{ۡzEV/! ͉qAy#V(e hdnkES-\3L7 ,bRu VHKn"y'-t(nfsc=BJq9&OܧЛD?` 7-H!br~c J`s r.)r$lbr4h^Y)v= a>Xb a%gEhS= _I47e*\h)5fC_ޞi9=>K;H[Xϛ 5cEcǼcj2J#$QO;Uߓ&:w nq\`=Y-mC5e/ʲP!R3v8\8Ɔws<}:#N p!yŠ/5JX\K'RneՑ#@w`WiVI3z^sP3ۂkn;"{pF( ]%f8GdB-}I^sJf;[pCxWbAU QUjDrnqd;\d'_vg)Q.*RBRgbgӞ.Vv>JE;U1uOO[[9`WW.iGgА ;`-ҩC6@ ۡ So\;V68W3B$/LC>߭ Q4MefI*M2(5*s/cbNе0{!% %^'aٖF 9Ǣ1UC,usazʰ)Y8rTU}&>20Ľ4)`%[P q#qD+P۩a14=Dsym70]/*̉h$ mǣjK]EhyHҋ@HZi`T bб.;a8LW9!hPN@d};)v<6JMRU4tX=W98-PU󗀲._bu4I Y"YC8@,aQC5-JԦPy NwB6Z} 7YIc7AEVsׂF-#ی+ޏ\C%(g(n:7+<¼2iqpsĮq h-oR*LF?۱~/e&F"j׆tP) V!J6Lplqd^e דCR 'v4"؛= Ǔ'n߸ruzWҙejFn RT߶SԯȻ9UqAQ.AכB?J-)HQ~5ݺ&T%ܒnnP>L>Tr/뭃\úmǹw5Vk q (*jM1ײI8f_]"g<5욀FkAm)kY@G}KJbo%ub+Uf5"$oɴHF%5%~ɽ<.VIFw8l"&?ܧ6bDGv<"8C-4jNTvD55Mxr6o?Eke5n>I2,6z1̦"Eb"Zh{\GIHH.$s||lWj@+&)nŦ4~pBܞᐣfJ;ߣmꝰ7SaNLDV|Uzb<05u|ro\Q La* m 4^E^ FScfM80n[=xa#b-0W>MBE]azyܮd(PDtB7[j fn/ezڥA?G$׽CY-"4)-EIG`=;~U{$5[Úi]$+:wJP y-Yt8.l"'Q6$lLsG$ 0M]YaozS/J5dm'1Һ,rv`3 F{cWÂO h#42I5?0bibu7_޿۠4nwR{JyzK6c2.&LZI>>V;?Ul0ޕD U:r鯹.+%b J(J.< Šuk ?QoGt >(^_R 1O}y->?(V A:?OA6I%}n!4sة$x(Rq^BVhv)mυ 3SHt7MQ$D4l)OxLYzFNRqu7|Dƛ,l! 6%^eazkTLXUA7"?1׎OFOJR1e+@d㔿*Ă4tCݵS]% \H^{8{- 滟eiBფ9NI\pϡ6y,0wi29߷^ [D['Z£l`t|ТRyt'gla1@b={=:J(d L%$CAG}+sYMr_E&.R[J-. NOfؠIћKAf`jz͵ 2ohy=J?nwZ|؁>O.:Ñ[1' k{p^?%zi,LEEU>3G&EC^waP_;g KD81 1Zb^e_Zƪyi!js-Sf}p ڊ{f?32 Υ41jiߪᇓi%xFOl5`y2X v//?DtˏXkJkE`}#\1ܝEbףD8o `t>vɒ֭4TXcBu0!ZK/~P!q`iҺ;+$vm;`L,˦a]fmhw˫X R5> ~r7+}pHkP2u2'3ESg"' -ik.sT4_E/jc1iZwb/xs,dScVV~Z[T| D`!dAmX=U#'zr ǻ}S !F"v'2b_pcd5gO(2F1i04F# vYC*_F;Y83>1X JR $l8d6]N{JIi:ʷ]ġ{V-.)4-Nր uY /Y jY^Ȯr+?BK<=Q,@$#{a g ›܄[N [Ar%8?oa<]gl9!xDW!h9IeК`m}ɺ;3edePG1"|5oO3Cƙ'RmKe{MCFdG~>%%n%xU`3^U{&o!T YQNjm4CU_XR-%zRJ} wťlqK DŅrnÈGӉ!T黟K֓Ǡ ƨgme젩5L@^0ncX?efTBp VgX - 7+[=|h]*k~3KAbsY2ەO0e-ı[l!Fs ۲Ub6:+Jt{khu;XW!;=32>pZ|b#_Knsz-N7R?4JcOC]&}asx(#.ҷYsQG8邖{h Wh<:g1ޡ"O'ϒ9׎zZwb5(rol*po̅eppeMm|h` i֫1zܣ1[{eJpCpc;=  I` ?+ꓥM x: Q1Ye57ҞDev'82qո5i@$ eIMsJқHd5,Cߑnr:B6rcY}g IQ.  (|Y(̶zHQ"5ta45?I2ԬhF\v0e;pJoj+ j^, ߭]d ȝ VdWAl;M0Y3eSbb{'ZRe:+u"[;J2=34Q7%␑nRޚ~D*|ly9h3‰c`ept$\CǶ5dn.16U: s?w7Km7=Y H!>{i>c1x(X˟oUŀq lW*ҭyDZD5ʺqTߎH]<1ٮh4B{ы*a3 > Ҋ%*HoZ>d56N^A[7{"\LֆZ߅  \b_U=0;Qߙ!8j|8&HPŠ 1#!K+Z٘ U&^'WB=Ds>\ *Twmh9ϗ@@63CX")b,Q={i$W&5T{3"5OMN(Ny8Eg}s_vp:rgsy؁uM~ UKmy즯">=o/01KY0lϼf?cN4m@QuWxDvTcL]'U(X{ael Ľ>d20FJ%5Fvu,DLLpDm%BL0s ab[Ñ2vAeH#C`=>K Ujfͼ迪-NA`*cJn D?Hp6օi7p# C*:ٜ>ӟ@4BwMT7hQ͎ƿ. k-Oe E2]Hג :W>ê; x$TjuΥwg&u$m3l:I Pwj3t-z1]OR \m @%@zhƧ⿒Ur$[{iQ y+J,8Gؘ|:4rN/SHj苕dP3ED"n!u?7PPQ -u߶pﺕ3HLɅU K/Iۑe=QpM GR&m_a* 3,n" hB?36:˅K`yIǵJ~sWuNPHvM߾r#Ng}W5-^ȡOQ)'z] ,47ԡf@ϔXMABdzDP #UEtJA! "YY&,jͺ' &p^,~|rlG;B(5Fz:[{|-z(/qjKLz-B>N'4pf~YK9D_[-!nݻ)y6g`CŨZeW/R3PkrIfR^J#Cw_KXB'46L.Tl_Vц7Œwl̴)Nk?ȗT[ ,-}-34A*-&$flL6x/'} 4rv:o[%AQeɞ`DrEA\KlשEQ!Q h\|ۜzyא8j`}LZAb& :}=*yGA|F$ [ϞN^ ݼQ%帥a!W+)R!RM7[@T]荔Ro}|uࣈ)KٳQu{ePb97$~G$ܪhQazvE\uю7SL5 Xu;~Iȹ9hVVϒ Bpϻ vmLX_E`m7l QNt}&hڱ9"p4t]3uD($ 1st I<h 6fSw!_/ϓܮBVKxp=̟|Fu&"ukC|q +*pεCt6=#mw %2kIw& 5p!ٻ))|v?cOL4=PϾ+@t3 l)upTѼ47P>ŋAkl2=& 4xt&闅w#&"y4d(Tk%Egj߶MJ#LIyu*oÝ[X)L_7.UX@{,wZ`GwD!{ RDҋƽx/7TA.^odjl#>onQW-+2#۔R#~ɣY8QVcQHsf =cGR,M\u2^.NoIꓟu:BGv]@;;Э S/Ǐ]=^0<Fq`^^P:fS`g \cIB+9iXfJHWv.]o-O~~:0}{g;KݸE ڴ6і}LP&gL8Éyteò771p-j w Y4ҨDC 1v()izN!»*V|݀ƒ ;+h(u,jPȍyGr15,N7I;V7e/Y {Ũ0ͧ= N0=3ӗ2ABw~ 7Y_(챦Xu;xxS],1]ya7(ߟh F3N4=v筀{"rCImֳr%ob2mk ֐M=~A=%,d*كn"X(R&P=sZS-w8v-Iy9:g WTٸ3}9-&Uƴ-LlFx2XM5JcTO?o6)*u3#fp+ؽJdghU+[ YkDy၍4<-t_V&QM2^0?OsߢGt 槣);o׷?=k[5 . >*NZ]"-JOָ=yz8!C!Qk&DwrcO#)ޭXF<[{7 D pk;C\oqSL-qx ?] 忝 1rr;qs]@~OvԛP Gէ5˳SvV߼:24+Z Μyѡ6c)ʠ$vxի)7|`Op g_6*ն@t 7 0| E]?PZdo>cpit WgAI3]4osf$pF(߾ח =y|GG_\qE|^dzlNs[z*;]RTwmqfY}J v[N#k6Ksac1I OO~o>D8J,}tܖkiڔzBx⤩DFz7ﬨJMٲ|lPǨC)rͻE3vJ#1`5|I,%(MN=cI}sxQ&U$s.Y;3i0!-PVK'i Iu9*4vTbꀤwF_ۓQE+M;^ b^9q_rr߁XģL݄\C"G>d3u1 r+HK&6 ]TAvD'La?4f Dn`  k=Q/YWR$A]hڽ%(6JC\)2fk_r "d| 8c=:_', #Ѣ|{j!QQkSg1|Wt=A5+iXɱJ$hcRCM{U\tĞi5>Qw5'eLڳo.:OBeb^}k10MB,g-zO'U$ -]N:)] Dm\wW{`j}N94jzSrHv-qvϜ{K>5wfmY/ o,1'~=T>-N/~ʞ VgŨ5۲lAG)#tǼ. u\OB(Θю4PK45{j9siݾRNDT=H Sթ3̧`REX1 ]ߛWp6 #.kub!I8؀8TY6@:hY"zۤ sh,\!ڜ54ڿC~'IN:K9dXfG 툪Z]IIvVcZcY?V\o⤜ /&Okp1E8 5z8!X΍uUd:K2HYQ-;vLlշ W<Q~׾> !wzɏݷB@YjR)wBnTOD ? k;CU YE$. iJwP3?}Nh:~ײ{m`\f· _JqVxDT KLjk+8bϢTzy)i fBs)D ajPw#ͽ!E$pēۥ]MDn@j7ttwU?u *:K|1ai-2J-ffU9 O)4F#ڄK$mHjgCZy2Xf b }H^J(4@1Dfמ]vp"ɃjJr>+*ބl4Zch 9GU8+\m,puL.v\yf1'7ק٘P g Pȓȅ~^Ҧ@@ Vg ^YQG4ndt}E]Y%Y;aZE^jKOj$-Z觏1KyK%*2Y_qA*(8Y- ,;!k1ڬ7lr˪s L4ZCWSmq*muM\&=ihv4Mf} >PSŸs xІ_H$3kmr \fkKS+DDf5-ru?%ؠvSs}enAw9CށB~Av bN^m_FU`#fKyŢ򃴤Uv熺R,T>c16tI!H psgQ}iw2f#odFJ:׵QXo'C&(FƼ  n͕HPR^\5W k5OʾzX~FlE`?2 K^ldrȬ`'' 5$_OSzMJc *oNlIt톣*kZ Ejۼ\6ðNZYJDu \+/S'\*yZyqO֜zm?r&q\|SȮ|ݣ`I[cb겹 B_emG½QcCJ 1Ғ2*P3|]h'|nOU 49g̚AUE9Q6>nܧ)!a)2aq z>RGDŽeV4X,k>tQޚu0L9X_&gk"ϗQ_ZqkCI{#膈?.p?g*?fjHs!€=xm56PG|6 К7LMmڏ(fe\Sb|_4X Y O]2|fb(<zY,zDBu^*t6N8B{LU<3_cu =[+Qm&5N;:j1=Ad n>6l݂w0LB*I8hNVbO*> p":\NdmT^Lb8Gcby^6DD\A5_ؓyGL+ F{cdh\YH)]Zs3Pgf+.i'ҋK%?1DghƖimą3yG:`*nS+n /6:iT. Fɩaѡ{[%tB/aChw-h&vm[Nrv)+Vo%J:3Bs9dLBz_Kb|c%L[Ԣf(01A)c\ e#Q  [J7|%G*!F6/A j6R^ܨs`%g2f/I2GhNj90dq-&lFޘ#Wgc36w!"\|8 LW{M0LMLIj{O!G9&5OԀ0? kl@01q+fV>h|5W&:qO^.w&aDi΀S[m `|ab6sqME;}>!JY jsg:&ÎϷgFEW [XeOȶ-f[a14'58q>me[|F ٭-{0(ёlCziDq;G~|W,>b+ipoF+]F<&5q~Wi׫2ɢ ˫ɘ6m=Q4afD| m]URXJ,7^.486{ҹ\@VAy %/.xxa-OlʺL5֢rQ48P+] 4j.XIzŎ%)F?0ZRo.u>`K"4 Ls?!: ^zJ?9y4`f= an?(Xw!@J&2' عZr &P n IPD};4+F(Pڋ67㨎gr|񿴹16YIHBHYF?5o 4cMO;OG,/`Bz9b*F'{]8 _ E!3GvpǿDj1{~Ȫ Qoe=ؘ[r&!:<:KT/>'/ICʶ`?-Cd ԇ!DV!TICc}%GQ w-w*Z\nI_1:v#"- 򩶯ɠ9y-vS#pEm(\d q4;TWo8BOҦl#aw=PE]ǍWcxr%A4-&o8>;N6zjQZ&uPےzt[}&5 ≿VmSV$z(LFlkXhʽEMW6{yo_(Κ |ln箙c<+=Rgt>F 2BUcvn;;_M'~zA [F Kab#u˧$Æ#:1<ȡOmNF*DF4ձqRF5mtҭ&V^dkX4Dß {hiZƊՂ1fHhEkR% 2zLwecP-1vܯ>Way iÂb=K`~ΦPy{mm "b\Tbmc"j~ޅ^BP&:#?HQ]vqt2}rnRyQ24 Y2~yr?C6$ayubZCskaBD˻-I-ף->bsΩrIB ǽ#?ڴwuGB`?'V>}Ž. #Hm0]Y N,/{:Ӝ!}B0dXN(; $)\BHi&`nwip *0>,YO1ԄsHWG_+^;VDaz4[rR;l8YXA 1nO(&19v5uYfm2vyЭ DP]t 6)$ ofZNMXS }| 58DGfeEu)ۦ]ѩׇ\|=քZ飏ђ" HqǍ t[.J7';7crnUKI+BbǓ5e}V >0Y͐3m(gR,~x]L2n>&t\G#[3_|+1C:_voV:vx3 Ƈ0wgtI`E(b$aH:.Qo bJ.jzqQq[[mRjҙ=ׯ\~SoZY`arzvNâ3~ C`ythW fMy8 AJTz=>FÿZUeAif/O-> nF[&hd ;`~_; I{dP0tU߱5LVuxYiG]?RgO.hi*Dv:gFz3@fq'Vjd/5 1OxFf+ӑ ʙq` 2CAP:cЏcؕ++~׹(ȃ1U 1'C4m9Pz#0b"_u6Cӡ'4D^zGʩ 7 c`ƒYD~CW6P%xAPvn9Q3F:_ "NC͆p̊,fO=[Qzв R't[ d5V^9t ›I H+aC˔˿ni` 4);ޣ2<;Ҵsz8:t'" 9 Ҹ.ϸy}ETS}ջ,|d˞_p-s} 9[j-Ẉ\%>Q.4+`ePųG%+es?ݛ' "ut}pLִ*Q'M$qm Nj^/v%뜝b*)X,f:f淟-{Tj #>FWc3/z0̆SxjGQN86}Y>;i!%_@~Dch(7=˵Zc-\* <5BB5/1XP`wCl+ܔ^5"̽+4("h%yjD@t“~0^˳ !#W;_P}xRyK.`uXO$绾EBỼ;rQ/gF،YLUV~'E.nP$8H75AQ!\7%&Tw%|2HփT=>ߥF,;_j{ͱE}vgT,j118fb(F:v WA(P.j._:@Lr%rteЄ^/b2Q׮s &L( -!@+f1/Q?}B <'jmyzE@*ʦjv-^ORq{ {im *? ۚ#" /7j@ETuDDX|qQh8PA_kb2ز^b}n#/Hh]r GKMhZ kiC&>Y!י7]rV˯bJ:yeĻw7Q&`SwڲCx43}K 6eSr1#S)=8fE$vZdC }ģoL:jBὈF- ]yɓ szihCT[`pJkhl~p.4Ώኖ0QL=c00=';!,*^kX?mbvoEg'l0Hk2j\cBul-=?}p 9Oս*ݨ#r(GEL'J3ux8M'j]6m2uDw_r+FL#8iF=r !\ߨf8(gxya$y<{Cl!?o _ Aqz$c:i1vܟ(ׁSH`0nubеGC I^AG>sNۓ[1nDU񎖠Ŀ_ L%eL2vIA\:_ruuhG-1D,4cS_X+'9W fm;w.m}z 'zх4oo*7Vt>eڛ~Vg$c~V$],PPzH)Oufn,)f=FN^;B7g#Vxb1wmkæ(qš +|b 1Z97=QMsOO=4bټ#)Wpik?He{G#3PÐXx mYD́,DIQۭ0Te|YEb OR#Q_ _Ȟg ߵH MӲcNBh"1gԍn}%]I h!/DħhJZS< 7:?U/(V"441{}1vT29S;0l! N=^Q?$)b7苧o 9~-M͟ELűQI;Vy 8jM=k/BQpSIIY\QmݲZ0` 1\җݏ_VuTJ{f] A/l;߸M&f:q铿-ï*se2Q#]`Xx&q#D^՚/]MO$kM!/]Xa+1ḿ[| ß*\Zu{i!A[)BuFFga(4P/\AR_k ˃U_;6O9T-ndl66DNz0-А6(OR-eNMHI+'hZΏ5>1!HQ:5KDg3ɜRUz*Rދڜf:孹zʹPOe V$~Ze?+h@g|M̨ ?ڋrQU9k$ Kx`[\` \O-:7& gGQiRhPxI+սam^nSu-ڢ3yQw؉{Fk:RtMʺܕ%cLl%Hv?,~II-z-d@V*:m&:mY0 ].3sUIJ3X:^OWŪD-Pp%]Lx7LO8J̗ `M"XMjɷjqo6:F%LeIM{iUL2l\te0 gDYV-t㟡5LO$ln3 iΜF4igC *&  ўؾ2yʫx2r@ӝ+&Mzu6ˍU"kTOܡrQ/eCEN@q3obaMS|la(~`aHQr21w-C}RM~G6&iS L"nԆMž1K- •NxCmM΀Q{;5P~? R \ނCv FK]:;CetƼg.8-3Y/݈sLAMSz9.̭,\WߚRhƳ ZH.͡˼JdψT(r!`Ha?XԯP&F@pJ].\l QHѾ~0dsX˞Gh3jlV[c`2_&Lbqߡt5CvD$%#L($D(W6$.M%Cjv0GƼH8$7x, l40Asx-No9Q걟M@9#Å!LRwה$v<GZIRʢ!Eӎ\99[ͤOı=ia -LQ4f5W4VZu$Anޝw T5qZYd4c8y  Qh4|jStaġqψUT&8:w!o>U?&ǽ\%CM񬌺Q(}S$ \87͢I"o(!t,!B~ *H 8#Z*hg 6⮐43q!SԶ0?#$?#X1RzԭJQ&LT/#_ i~ 2fyȀP#+Ri*P>B3t.?xQ2Hbcdyk($SD\=lZ;N&똟bsgU'2=pLuhN` u\(Om\[Z@ZՎ4-lBHH:]Ί١GF{s(v @Aoqj: Ѣ` 5qKl袚bo'VfwNJLhcSRd%H wPeQI٢ZoXy|@ɸ`j-\RΟDMrAjdw#gSUUz,j;b]3ɢ$__"WlCFOSF_[VBdzMD6%/)w}5`VB۞XI5V!`8xЗEA˺\^`n6$G'3jbUV BIRogٚbM1.0hzmc4YpNd=g7CQBy0ewW\\. X4-E Uʛ_tïUcXnv)m2+4ŌIY-O:`Ǵ HRH9HGW+.[;2X2tHVVHNJQ2 DIU{&J>fGxG)_UE}&hr'9x޶~wlRsθW/nT :lid$K#1ȁ_f>WMSK =QM"ܽs(`m`mEZ?%`yfc >HNP`b9"&Ϩ6z#y2SM`HM")lw$_D˹oC1mn%ޭaYARt U)hwB?c9VB/ij =ҩ;hH=mKh̅!J{ِB{~jP[x':l߬ZUьq6D߻ɢv7ɾ"fWV YSPm+ޟȎ.j +c.tB~C\W(/n#g#ւ}36_r&@Iqn Z7i;| :?pֈ89rySxppjس I}9~@Ygcԕp\W? 5M$,yGԾ h/%:RK7u@7 89D B.N* 9ȰlQL Y~;JYXmXfȲ.5/~U,Sᩓ1&jR.x#ޖ@ZCPy!?> fKdD}Uݺ徎ԏ)RUt8R2s*} >3n/~뙸$&1J?X>(AaQK6$[,n5>'se GcÈ#w% /F^/홽66bh[$lGsOaK-NӬ)E[ +*L1^'O@[ .yF^օ7}wmFdBǍo us:}c kam YF:IN %扦]0|ˋl -r Ek&4dPiCJ ^Mfff>C62Wgq%˵fSp-+7e8?-ؐXK/ ^ș+hjYO wl(9~gO2x(] Tl'珺u``t( FDI_*y.z9SNE{^JvMNNkf[dFb䎳50?)\k ն!q#TSpIBgbk%9ZoiMA-tFK^AfIԀ~9[[E@=zcIڡQXIyڜU6dP(Ũ&\4/ =`!\,bioQ9wy8r8gnˋ "KlC213[3g %4\ő[dJ3^d9p nMBMkKF3Q"au}d]#*8. !$rB($qq;rToJ2.'ͻ83"08S2'C4ݯҞtqA;Z44Oz'Z+":9]kJ82:AXΠ-A՜A\zQ`=A?@d Nx(Cd分f؛*O6kg{R }f%7J%EF[8b:1#x[=ln/ּզ!LY˟~l*P/ψ ?Wvәm,V{ޭZ7wuEq#Q2DӉqGI|s޾lQ%Eẹ.Zdk_Ϝh4JUIu:D5ej,:%FlawU /ǸͅFP=('YG)"w Lo gt\$>wp=#l bHe dnwc&R¿9˄2_\"=K]*6uawn |`N$@`Rb%Y I q7"48ِ>!}GNْˬ[""!(f}hvjD4|.WhT wIdužM5?t0vVy66~S)*AH Df&mV{0:(U]U*S5I#zر~MYSWGv^KUKx"0Kܶh?9)ٜ&Coqso-%HlƢ4r1.x|e@̴gwA4P!qJf ~v=Ū'ey$gB ET !/7A^P6Dc I3RwfD%_6l$Sk(4ց ,>~83sMqvjqϧ@EN36h%uJpмi\ҳ4GFw&Gyj{bl38&Qx i'lVPE#t0%y62FpՓze1-ytl4TlwneeXg~w|Vx'ʭ*@6,7fs4:՘NjL:svQ;ǚoH9p[AlKj" j'd̶ζv7XGKPbDHzB$AV]|߰ عaFpڧ;!ԿDy,3.`cʿi쮅,1b*&-v/^j(^пcZEpo6:>MɔE<<5HBuirלeD; Mp]` A}9pJd. tl1峇H J+ݾgbaV]e ^0tVz)3.1H-I#,wr9D摚K}'-nn>C`j;~¥G3?M.F0שu^1M)!D)q+~{ou ߑF7W"KW:Gԡ7!S={>qG G[vPx]b}x-Dxlc4"C,pBRo'_g8k8t1Q|lݾw}=i^rx,I0J2qbqjcn m.͵򚎃E'QExy+z vOp>nsοQ(/eןH JH H_e ӌ.;7ǎh s¾A`>/!T>8NƇ @zP ʊo.65E+*y>Ȼم)ab{РbW3kx&<_2!;I:P}ԣ|~Gē`ntœ |M6IKllhf^4֏vV7 Tkd0^D/DmT8^e>|C[Rr@jGN+MPxƟ%IUI/ȅ| #Vjo&R%_7KK0 4v]zɘOŭ\ᘴ(KJgX[)Ӡ0*%o2[;hL.J=:7%oOTpXH%5˹w@ [":p z7TuQ +_w\=yYVz_qIRܛWwΏԣNA-8We)*/{8A<"c-m˫(7C@OwٮF.B֧bG_H5,w paLO4Xlc`P'(՝w_PѰ>Bң&,Љ۟m(6afn01hW3\k:ƣ(C,L}iLG!5DcjNv> {_N 7˯Ԩ|C<7Cwք;h!:uiA=pDa~YZr8Ucv/;(pDQogD"2 IZyS B|B+5/7QB8qfްNYaqc%Ÿ2Kv|7{Np=6K>Xƈߏ*av{Nq@Hj}Iΐ7]ʷ[OP1 +0KJ8 ss.N_Κ%TY+0x4qhÑY1+"5r0SG@+Fk.PD2P6}l{Ave` j᫝G΅ߒft7%HQ#vjSetc1ZQ>)[$b10via|s->8*8*vrV]B/^EE}B!Gyҥ:s-Fs*epulyN@\OZ! ~乖_dl"v{ɯުqH">[a掯G.0q銁olGdg%dUW=O`S()Zpݒ,G=]BrpCՉ5$\nkwQeM*Ӎ^t`Xt?9֢)J?_DYcI3pgFu?(Ύv!~t®/J UqT6>A2d'P&K~dCcaYN@!h/_y.N{0Ith"b9# )-7 wj>}[ɹwGFma{(e<Ŀv+zV^Te5-wvwjR6E{"Z>ct!g_tKF8է4#}2Q7G8 G`'6ѡ9= xӮ\(Ń35X8S=T3n](FF}P{dJrGY =e5P[s7үvMؾ t EQϔe/6[v_eMrvh,$.lش\Ua%c6лfku: j^&ĕ>*" Uo1xi’ؾx\=z7;^Ji^EͥU"G;9p'kIq++jۍ;/gOSz=D,P\yY B%o- d-/[ k=k~O?ษ.3C-dj >UV\Tqpo4̀"}>ln \DF_ Jt] ri!PV΁r\AlqDQ 1@;P|>:"舥<&$uIVذ ^6ʫ\b%AJb7͒OWv$Ja/K:u˺>e߼WBt Y_- O 1lZ@&?BCbKo6 Ct(і{(*ER}2pH]4,Q؞FwLDwW[y&D6g-9]e}缀rSx x.ȃļPJ|`QI a`ewxmBS Ԧւ!SM!yeAΟ jI$G@Q[R|8{;Ŕ2I%]E#5b2WQr 9,. ~LT`s|Fuح~ 󔎺P.T](+#n*=Xn}W݋K]VX.?_h{Wa7<xKH8M Ō`$tȻ \Je;1`WJ `qqAyE8>̦iKNy4+Ɍ#fӗs>WRYss.Q{8wrPG$' Y%ZbTx*LaѫU3 tഭĊyDŽrVl~<,BT Tz ֓LV h\uN,fYsm3Nm5uVx~)EŊ '\nTT `!LbkFRNY`V8g͹R}ç?ZBK۪HV5ExNNV@W11roD̳Xqlhg7gɭL<6iXyeE^C"'yPi4 "&JwLظ4IͲό`d!j(u61t5‘ǫ?4N#H#c;۬X vcgzh#w̋TDȵe`AWG&C3l풜[]ڎqh)"1_td:G`?%.^*؝Öf8jZJdB܏LKAD~XݱJ6(73J$u8ؤ@kjMaB_uLKV0Vb޼H\ F#RU( Ϣ~ s!Ӂ8,[T/c֏Mt[=о L)5Vn5C|ϕ\(rr-jg!YzƟU'.4Jw16wR'h'*W]HΖJ_jK"8Wh/#;nwJr;n)bq[;in?=x/㙴4M̯ryK $BGPoXOE?{@3USvT<[L6/=)%u*gUHT<}k4X cTh!lraUQs]Rg((i*Je%"VQڟxʕh:2x]1-VHZ7O `;V]*1Og QÓ94f]!3NOXޖeΉr ŐmKxgtI iCsWF#crm ᜝޿ \?B=Ow= 0y9mT ' v ˊ6u}Ɂre頞%| K̪kQVE|馺 m"ek2F$75yss$U5؈|~ Q衛1lӥ0LDAEu3ŝ` dKok/oqrb/jqj՟Aav-'b +!0|#3*fP 6|WU4k )GzOLaAf޹~ yĝ1-l}u]&6RM,[_g.kXZ_3r;CaHkVJAZcw5Bb}0+$Eyg藡QxejPȪNF詈3t;,ud}bp tKFQ,v1|!-E[zVd ?[tY&9`>0 Y"^Q·~rHŸ[u9<%N֍ƩF B,{uzO}wb:#-^vsWc!lgaQh :!i#"THr6 K qx,ʁ9Ś1})$5b6gi 0KyO<2G=dX[Hu;h]לHlG` ۭ1)] wy3R.-o7պ%5: CCb%K iYe0t<'`g6)_|~@y !R=~bۯ_(f}} [6!1p}8ѕPPw H Y`CVp _XVjl6@-,pOf:eBOh'Lesvdp&}CA-*n]Uo#f"0(bVUEӋ7,s|UKػA]JK9W/ @ 4]ʠ-,əL[ds\9p]MK󲊼98čOhw1|W\N@S7˙% <3j #>LwzVŅ[~*9V5tHid"pyeB2SD&&~c%~L@Tr T,-L $3*sv'SAbd{N vZK9 eƂ ]Wv|k[6΢G SL"SN\*& hSY.̮+adp5T\Ӷ˒.gn3!4Rwk\>};eb9nTIދ`U P;̗=30=4Qi%NlՕ;w~zϩ<)IA%!Ն/j\I:; 57pBbl7ι䵩P=[Qa\렠HAo $S.d}1 a@18 'Ia#d3#-ƹ\֌l`0%d{oi7Hvu ijpc%t4!sф/\ODdR6_z푉(@ѓ p(lo= mN0 DMiDc 9Q, ͕<"`1=:נ3ߍ8k2 A''~=fvN{M;{?0ؙH"xfNcI+o4wiuBK_HcvfB9WQ? PQkY,b-C`֔TiZ ~Vf~i**\/r"/s:'N".ו|ҼSo'PH`ihV^fVN,_an}H.?wZ2mݳ@R'_ífQL&~rMAp0fdU@ƹ馟s~|`_5v^>eGb诅!y(3T+ k 1i7qljxU9>BRsĮf}܈1C=L*p[k.Ì;&(hzwځ\"-宮A)d05K۶K;#rWHG$;iܵ]3̷ 6u`#e ϩ" 6cA tEzq0Z)#B@z#]mԉj֦[:1%<@!P)pF+&HXY%`Ůw@T^Bl4q%w1"zɘ1;ɸVa ؋ RH>uV{)<GtuݐL9zꦍ6/ɼGBnWlN j?d+N%@r9j)t&!܂P]L:-ҋlUbVΎ[ͩ~& : mYJ%q:}-R!5Xjk^I˕pQqOnewMhyWwލ+w'>#@>Te.f#(jm(&Us._<ǡ%Z$}9_(-d=AAz̝ ZV$zx06j]hN?_KյAq<wx䴄:~lӐCJoR"5 "U% :zW \U&1`}&AIRf8;Q#'YL7ԑ'KM46LL!R10Tc]~Ѹ,b| eJ&Cч՗oˏCeiz}D`-Shi&(ݨN*x;BLVOՎCP n5ixK,/  $C_?;/B@}h RZ59*nN&CFZ{g Fom x#~F7œbfˈ)3>b?Ib"tqzS)A`5l9Y#vcV3Gr"WbG`Ll޽ s"'=9{af2]\XflI:F46c177nR'u@V+|^md`Nʀ=!0R@☓(NT՜n ErЊjJLR`1&^Б~w6Mqˉsl ݾ!BrL텠I&N*\n>^Òo-wFM`(H> )˜l}}ROFn,?LL.{60qElj޻3Y_r`;e ]Y0׮ӿqCgbm .UG&,:h6i \Xcl35ѵI^Uwǣ[NܱFyI(8Kb.U6@L U= 5*MNhioK[zdN7i$; Հf2ݵâg%JT <G"szvԡǝ~"ğ"_Qmfc\ZU}k%5y؛Sq&L<+EA.:0&^q;&@<4fIwhe1SϿ} +bTXgE s$Veu :f͐҄ؿ[A?䇘[PW6 Kz-JRXP<%ZmA_[Du0Rn8L14*lDOC6 l!8gw6Aj,⠏kk6~iރn:$eOT꘶C e+hGrrb9(U_?J꣥IYyhZⱍ{ʆd>YDܪԱO/Fsc+ŧ"-%-\v^(wMK\ԁ7=m'mi)xqn 9}_ Ijj N(75PhL.qlPJYxEӠmi w^+(l~#A\-^&b*cklX%OZ%jDu_2y`0 >!?GAZUlDPE)~:IWhLt8I#QLR9>g`Hm'L"eZiLa{ޫq6'rLHOsv!0 ֯m7;lZM};\2^16Ca-Opw6-5x.։G"xy4UxRBB,hzW&մj{ϯW8(U՜C+Xs4HQIkuIܲRKMƔVҒDh6s4n_T+cpJ,WZ|2]>>.\c[{(ϯ :nfPXgb(o/s#N9:%#N*cv\-'ط@-3HiSJD\$Q5"5Zp^{HP(ghsiuꥍ(lIhMPh%Q;$1cle? 28pV;Dv;hIs7æ$CAzo*FxЇMUD֥Y} &(*bN K*Q](VN4W:D˒oeDi|% ]ҝ4$U$>q֔@Q@4fC]kevKw\+٩ ƪqL( b) #۲n%|C^&'94ZQWY:Li1P{niBYJH vHoYcedBr1>D[V%"vmӁ\(-m4 e.,l㣑2C5MQ'wmr %lVɩgoA;Bj{]dz 2l(EPO|E) QR[]0h>̒}3IYu#^8y s:>29q =8u/0`_.lB jBnܺ? ޻KG'4kK^#æcq؍QK{ҕeF'7jnLk´sYm.M&*hqoĴoJ+^V80a?[fFQvyki!LЉ)NNzOyZ V6@`22K4f?%P%>= 29&g$ElH1;Eq=O#fx|?=! 8 SO3Η2>}>^s<ԸT/t1/"i ̾d#;bdE+<{:BbUӌ`ET5a*-l{FA/o;;uWZg[(خN](0PD` .R6xX~ΘɔF!$ #`gȹltYMpB岒<(?l{V^|J4k&wkq 1YEfMyipǾ+wX xҖ#1ʹ"pbmO dvR]ZmY䕤 $'ST[;=2@aaPnDA$iSv+Q|;ۨf"n~E]PzjyA"vt3Lر lv`y*OpPoAw$ ϖ&[ E§PNIt&n4v l5wA::I~^C<:<PnF3w$۳h>NE@U[>buī1&s5nDi_;v4~Wmy̛TC.+I9@d+Nq ]c ZCV*)*E=ǝ|dzWs,j* OmYtK3a׵cRhqWl>Qtj ,ytJTe9ў3'p=f0 KXw*ёQ?o pjW NiΜ( H6q`HgXhZJFmRq[ov߂C|u.G }Cu5\r[xP7˥\S1G fHZ"sQIږz,h";c*"8tF6gK48_Euͬ{ `"赶I'͂|N~dt6BuwJ`_2{],x=+Xb2a ~GV0yFvrk2Ztf;1Z GF^ί5 rW z Ev6l mؕȪ{ddGCLGj^z=tѯgVpY S("k =v:0mt==ఞ*aR I950X[ _3-Ǘs!ņGaP#T v"^t+x*"z8ƾVu\K6<+ o=wQn3dtzi(9ʭ^MD<Tz4O5 c/w X` L Lެ _;y@q4D /b:AkaXĖB?Yc]˃Ȟ82FmG/EuԍM EWٙ+Anf<ؐ "/<61otL4R.=E`C#' t,&j+6`^f\]y/.۱d2ׅex0,dk6 &"#hRmy\)^0ۧe3ge\428^}R,s_j,Rak6?Rz,^04v8]U(s@Ǧ7[(Vn@NcS` M<6v\X2>.CBA&w1tkg4!_]uݍܒ^˱Rw[7q?8Gvuu~|5!${t;+CVlb CduX(1Woj2?8:aCT^(#l]XuZ&Vx;xڳ7"ؐ=eW@ogѰt*-Gr~`46%SE=}++Ig_IޅJC);R3f8Jƹ-m5(uI=wF52w2bZ\T$(F^H)xwaIB{-E>H[$Kc?K*|>;xo9t?{6ל̷q6ڒT7Vz?µ))i/c VT *pD`м(:fbXRЕI:(+p`Hq)niP(C֠[Uѯ Ǡg%/6OPx)J: lw:Ľw9^jC#.JzrcDwYRl kHdNf)De@Vy?ta EF&d_8BPdZx-QҘ0(ۨ`S 7@TzUk6t>T_Q ǭ4:{UtJBG%_1ovB:ִ:!1p?mA?UM YbFMT 6q*Vu5n{>\[JYY0wx ߿6W GV8pH S\_C("CgQ<8T^y | R֝}̧Ywy bd !ؓk6ىU+CL'~F{ӕ1pjl|sPL懬7zFiooM4U&j)2HIldƎQi +ܺq&p3*'WZU!:\hF3&uȫ^+ל-Hp"vH::lKUT[#:ukϴnn1U숴;YWv*]!_=o#Sԏ0y\I X]o݃ϣCh]B{Z4G n/(buc QY խʝ΍lG[Nh =UNlX}X/'$ga Ē$Z>$F&f8^pʯk%#R6[j[L %2zJ3:>RJX(LA Y"i3 Jr=vnmdž)_HO]~JL yg䙋iDxpb)JdrT)*<# ޓ`9-nܗhJf[6 8syrӜN,.,:Gjn-.&4^*uV0 rhW] a\8kcox['6ج k:X\҂ fp'qіג#*p!/e'_]z,V~0x7G}1<[蜵8]ELP0xE|vskV ;rvn#QFUe[j/M>6$i>pv6ORZdMM#%x%QH %Qp4E,5bCC24%AGbybEIRepakGۀ\9<?UF%Qe'5b=ݷ? F&Z m[ ‘}tl;wpūq+H`@GSO46g PSޤ2zhHPYwm^_5ԉ6 )SB;zeQ$x$8A0_I`M=2r|6Wk}Lh2=+D|ޙYP*zp oy^Vۥ;wϛBw1U%^&deCű~(J.17mb-q M~3Bm >ŷȆBDc/y0Ku0IbHټv;Tj":(PdSA0-\ +L&sriN:Iq5|&Vψo>gAK>5sӣ_?Ɍ!W@)<jT+դI_\p!l]ժ Y j<[$yu_}u4[%,Nh`.Ij7 ݶ}4|=kW"$3]CwPjFeY0a0$p̰e/޶J AˉY. J NZC"h'﬒7 pױdwpOeBa3ӗJ(7fzLCET<ѾN¹B#s8bkh]Q'4f]GAV,|Yg>eĖihj*i+F{.?=:opy$階tIQ2n>*c3m!}S1kc +& Y$KfF$u^RȦf;'LWOw ts.C_ */ Or/B+YcWLoPbRx?E=Dk_R'hx:PoWݞ?sab!j)~d,~KscNtzOx#%ʚe [ad-tK>F[ ֞֘cu@my[â$0εOqPp5))q> WF$Y{.2`4·?֓*ϸjaB-=St4 ;9!M иa;Z 3 !oWR@D㼐6)$roQa"_nshַ̼x'MpCR7]'WhLh)Q[NөIUH M-=aq|_VҥHj Zcp!׵-[%XhU6tr Pmt~Ow'Pd=_Wp(.b&=bC (odF]]g&sCi0ߪz{FjEϬB -Mc}G5U-Hv{j*Q&4ƍGaױfg{jHɻ&@:rBm{c%HA4;%;@Øbd}O~b! 8%PoίqzJQwLN(&ΕJ7jN%uV̌:^n}lfvWj }'8#m5B7mKߛ;6dEI`b_iԈhkEaʴ|p=Gɲ F啳ɤz$ b(U5u3k/AߏLYg(DV{3OupުiĚ9ɅkèOPHӉ v吨(Uj oԍ)?OC6b# 6LD4ٟЯvK䐮M |-CFwo%15P^F3 I~amMe.7@#z&yrB߆x>H{fE( )'uJ.b&mN^^Ӂ<''(vO%VUBXafoTr0*MdhNuOU,90e(%J>?[e>n~hcwJnV$=.38-bDW |Ͱ,Uee <SETgg-($&-h_7AYO?R#6Y)sjeN]B)JE}Apj4*d?&RcDNrDv`X ua>sd*-%x8Umubz`,Nn:|M; )MHܜoɀ9nHSe!i|A|H4}H"JF]e;@f>kXY.^7_BYmd1ErL߼W~.QSvVYZѴuxl|WBg|lq~N?IVozFM,bD$a$(U߁,. -["߮džyDCFsf:`S=8\[#ޱt!68~}`?u]C!n2HSIx>9*!94ZIqJBPQ CҠ[CepY6EHܯʀ= a$0IHu6\6>H+T"CEWڐŭ #kmq\#RY++ 97ūd{90v ׺9}%5GbqӬT1Y%]W`0XchLֆc$qr'5b*A ! pO.(K&eq7+ yRH}(/]^1 +j<ڮ/ŝF>kv*(*7,hE O=UfM Xދ.H?;|$vU5Gl:ۼx$-Z)$uh JbA?UaЌQR J!jH WR/`^?.8\#35)"H=E߶x} 6`{US"_w!_ӺVzI^O缂]_ LWDZ|EuIlϕd]9ĥ$y%%P[.4=S v 7˜QzMR;05 N({L(x`W!•IC.^&Zq6gBbnj]YR"o&(usqTw u翈yJ@fւ6h>~3UI*h003Wt:}Ev^\ZN^1a>eK5[ Dϰ[# !,G9It iZ-D8ay[hi)ӄ|N37g-^G!gXfbjm)= gQwEs9UKyߔsx`Xf2(.ܠ0VgT70~rkoRw="?JlkUz[h 3rԜN ?Y%շ>tQOx-{,Is35%Hdʕ*$'ΰ+;~)c$Ed[&x<_$<)VIW:)|zͺ`Mm.`-5_*VxlJ)&$+_T1wH4 i^R_1iP_N%q?=60lx=\M泓Lj^xgt/@ 'EJ^` 9t+@F?R^E& 1/6^xx'0fg @¦CyH+7Uj`3ڠqce9n*r0ZbYzNH\=A|$2ׇ}5tR{)Ż\ӳiMmHP_~Ǧwa{P}竈U 0vhe0f/ӝ  .eQ<UV^^AGB@%>5.ayH:2rD?ŗ@!AE@ruNexgf˽P-. ZmC]F(6QP\&?F^| Ӻz5W$jKg.j <@; i!̉,vNjQJi;>+fիXiǀvCCD |@j R!@WH#尀EnPJ'jX qte"~v.vKMeXH&^ѹQ`PhOB$of6Ef6gA@9zⳝⰟR옰)q zTplx(CѴ( }a ݣuҢpTOls `4@7z&=Ɇ`Zm!(ĨVɪn ~!Dl7KٕpTwb+K`]ii?#2z I"LM Nahz'@?gb f>%c: *c=2ܣUm;Pc;*5`EmJw!gSJ 'oI#*d+ElVE,?ۖ>) 4Ih5%(Q R{ђ|l滼GVthi Ebov{-E}0HZ >? Uf`K\\QOCV>$' |CE@^&LtQ̰[a:V1CTa(\Dzw )Jz:z'濡-HQ;=[-1T{Qx ͵EiNfl VuyD]HmXJZz0]hhw$_-RAڸ2KPksrx.]7 (3k_:!AЉu}5 ߧn/ %^ݜ6Jh%s֗o" +.4ybSmWNqZl0KՒ^n}FIB]ڠZ63Zǃ0D]%ܰq\bjFe<Ǒkp-*QG96Bu.eʔz[GcĆHZ {]I6+H!O<&yMAi椡|m2n?ULU'!H&*Fހ;i)lf#=xI#"quqܹ{/U/a3u}+@G%m /oV;]0Y8&VWHBM76%œ҅1 f,\'^:a-+ly8_̨/1g|^KbB0mFx(*z)v7Z?^+&s?K\|@6@&ପ-CQslLMB%.uSl}5)@1H@ZӶlSc`h4ͷ܇Uf \W1H gR)љD.SU .kع?9)~ZeI&{{P`8X In篩2\Nk2D$F?Rvg)8ws\ U|VB[-- i!עV))̄:-ר3dM:UNJ["[n>\\LQVT|y;dC (x;peWyԚmɍ&9;}/TӴ_ <;ƟBK'VӵݬD!a7ҩ8nSNGèQU-|)Γz|0#5Ht_~ LAs,pa+,t+k~$3q=05 Wjk @䍙wAQ0o5gz.x(Ώ9B)/_ř%>,,}A/$<<.ovX$( +]Io4R<{/Zm:f}OZu],"', EUuq>b10E-''D?o_ 8f]hoҒ "P Lz_֓uaN "/Hm,3|qM#[I$̯ Ka-мK+:MyCAGdPYSLwN9wLOLi[ EE !"b^āYu;Qt6?{( vN_1ؼEW.cDVr ?394&T8,| jh3;|T{bF~͆z䤡/eO/T>ťFAtŠ!}hNj{%#v \vZmU+D=9nH#7;Q>E[4}x@?T ysf6[9YV`F ].a%~ڮI @ؚLTpqgOo@5H_^F>@k^,?ʈ CW޹YM>*}%ނ|a{^P]z]Wr(,{iǞyEH'%^_7 3Ob+WP]UӨ_Rja\^SFcROMK ϊpšSDg&ΈOY}s̲F٨An`ċHYÁx+iylu1Sk6l}=!&m~^-}To"wNEV<^=~ 97$igWJ:y8`#aɥbM/` :"?s1\jʮh2SCVT kpwtdhlPܬ WS meXWax岭ַwGn3* 9&> "0k{e uꘃ+=B 8NO$cRO#cN Q BD s8qZޥia0x3]neOdv ~}5>u-:j aoNƗ˩0bټ}$FY -?a87\e@Տ|hυh6&$裱} 쵨g~#q708 mL_4eХ!jK/,|+*YXח-qيpᄱj jybi栦+9٦m m6eI UIP|^! tj{+;!UKoZ@(qPp̴ .x0I"7: F2 L{|lL ߮Qw6t)Ҕg]{Dr,ۈ,›cF!WԮy4A=\]gWފ&ρ_Fƿl(3*b̒Gq]xC>yUy-h ]E?;WDgE6 mmvN˖#W p6m*#9Գ'5%urNv'At0^E~Fs^v2ГӹwpbT!?6:Xoe05娩A{ۧlu jdD Q=5uTI_>"+m-c!dj$h7y}n̄c~[1I„Wzњ%Ԇ>G@=YHmjmlV٠x'!mLEHxW$@^ߺIkcpRr8BgF-b$o_MpS(& ߞ$$!zn],vd¢srގ w˚8-et  *94ۍZ-?m'DBjz}WmV 8_`p gW`6oQ޿n%4/"їu(X EJX,{y D"n>KK_bB=duSWF8݉YA.>*" 22д'9G -!3SID1MeLLIZT!l tUvklp gH h!.ڬ3%poa$8*xঝ4%ُՐ]ծʖb}MY@ 3)[M,7- xڣڠʐ [YFErXXR#`6"j*`ۍF6 rgLQu I{XL 3OD%}V[Q& &z>Q߼p$7<ǟJ_ϲJ N0B~Βk9 I\v>Kr`KkK|$-j7 m=u(t:oWq)C3qO ";l*2D^VYH*x3ԛMam7b"a2hTUU:Àd*R0ٲNò<vuЦ3$tr}$Fԅ#62g{}Nmo= >EY-?+K(,qHaWveG5?9}8QF+8~̸󞽕Xz5:kmRLmJIy[#8edSf@٣MDչ ؓ&y`#WO/uo}ܑ9y.1a-sࠪ?5hSbIBg{9MKilO"ʪ -!., W@\حϒ.,q.XOy+>qo%Nw1 YN2 w^rӭJ:(6U(K jv3O>_Àv.27 2zUm=2Vn2m{yhd*P˅Pd'6@p$^Lːж #\5;|2< ]κi|3ˤrT>D|pb543 @5Jѫ(t1,^Vxs`Sbe!mM:syV_[9N67NpJOU/c)CK+̷{0Hw7sE/z9+ ="b` / [R d 7iz@rSwqyLVO2ecQ Rku:)XnS'NB5zjZʐewN_̧y0߯%^꘠ j?/XeZ}#I5@RðISj.ƭ_;X*b6zjВ\u tOPʮǮчCH/MWAV7ZѰҧY{fQnSz`Ba`j~12ƉK+eq5F^mˊiHbޟ50)W_ v;[ 6)#1Ƿ"dH2^ 'V])EXTkұ`1.-lNYpi<Ԯ,-Iɮa7rwYײ[VjCvA=yT=2>usX@sҊEi]u[H,^)$$Omhަb LOf(zGV/NdZk}܌(t@vd; >?!$ aB)H%pa?1.UGEГ|?-؜ k9&u7JQЪOhe3%susyl>W7IՆ XzAn盽OWjBx+\KgAe{]ߎ]=̻.QH)UˑY#oG?bO'¤.]T%0ǛQ1gttTHB7Z/\2[ɂS= &flpLDB( K' OK72#ojqWnNiq0ӳ%nvuT_c(nUw pK!myóSv.^ښC?X&{HNLdY厤+}3 j3{X$K#*a|ɽE? ǭƐa]8I`@A]'{tU?*Xx|}4X@ߜ`YKw7&@ w]?eKu޶ܨ,7|5}XZ&ɠnIʼn6"T7cL9fz&SeCɑ:Hb1*E3l8` cΛڳ˰!I(4.M&!hѐ*nxtYN#x(+[Idk|hɢH˴0]ĔX~L&=Ҋ3kFRsqҝI18W*Z~ựA٢@93u)He:V^BRGSb,9D|TӋb}ןĀ"Xc5*䡇1uH `≂b\K6Tl({#oU֥umqRՊȵƊ+fR9T:{1cOȅQ8i8vˆ?ʘU(r}U"65NQq=?(M҈U7X!+Jmc /-yj_+CaDyoB'Ug= Nm'bA5ǼZŁ$vSrZ3D:kyj_Nn lL%,=nY'y셁eJgm1HTJ+X#> MV; *[;WtOmwexN5oB)+@Op9q oEO=Nsӳ`'$Ҽ>idws_9c2oKsbỸ>aŧR͑HMJ𖺱rlu#YMşF VBGaC*#WLi+q-P uf5QgfJ-3xwt-н hL ,k>d (081ȕzRUakYOkz=ܧf.eZ`bm [AYkvhN d ςAgSwT#sKC|T/ݮ@ۏqS*$(gC+gDo .F\b2q5ӗānqƛPUj$HZ;Uv͛Tl06Qda1B=G[n0Y뜫 {g.QdEI`Tj^ 1% Gyz3Y-sg 'D?PV<~ŕC$F2/B |ig+q=evxrp>{@I_{\\C0i:7Kx֦1~H<}ej6%!|,8Xb[>LRt8bʰ@|t?fN(źt DZ3^ՎG[eh59ij|3fxc882M4(E#–o9Ɉ;n1 |Zz{E$ \Vv$އ<X]ugB'URy v3pta:1M3NJB8?Tʓ֏u?SP]\avW 7%8313`=6+K%iN&xcܬ܍'>-S>BX"?0(.E x?U5p0,7o%#&OSD4_sν8~}H<2].(t<+טYOg g#VwcB~} 5O) FS0;NXxRu4 6SVqg Fǡrp5GVnG]}Omf*"^KQ1q yP[),n`˯1"[q͇ cOh|b qÜu* 5tuk]'i7l@-ϲ/Ǽ]$ PݾI3{If|Щ=)$iVסƾB?S=-#NPK.|wI,s ]Қ{^S'\pW٭][p{FW]M]m"AEoFLo{h $e)V.첯J\%& oC÷IRdIOCDE&ʪdZɹK"p>G߉xz}~NIE(o :+';%Bx,o"@0ئ`_Tn7>rPJAǧ6dQ 0/=@'\@ˍsw ;!HKOo=$]97vЬJyw-dZŏ ;H(t^ۯeKS9ӵ<(pV8}}C89A pTNGͳvv|.{xI F{ykړ_pdAhQ lI&Hfk> -0M].UO$?o] .(AӚ,h5Kc-~&cE8+o}[xs6Zބ HP~x'}y47*LK9;YF&>m7cn Kĸ@恺B:8luc觍ҦvW,w*jŸȫ|MdhOY"5S: 7!A4pj/~zZf<8ț^`Le7܇>AtFNǔ t)FB#Oʛv_6;c-滓/!Zs{^H2w6Mzn%xd? ?h'O^"M!u>;N,#~[xZ:̩ LUΥaѫqMF Icʧc{@.gؕHH88"u5F^cդ4ͥ"PNADy0:mq6qPz%aFFZ bBb#:zFKbٳ/1-ܡgpuD|K8yĜ` _GdE;ǦKl3$ ^ g|[auTP2e#Ŗ<㽄%3j e t/ 漠 g3Xv C %VD%;!P,'k0r\w4gDyiDٶFNϰwJ[#H~ĆۢI^ :**,)FO3ͬ ;52) d<~7*vfuȼjZc=):^stl7ҳIj A^^{DU;V] jt5 Idu,^*wY w[f,޿ԗѧ Y8\(Ro$YHLyyDK6Nlh@kY) 10@V|VNPтERy@iO^}Ž:_mUYRc)6ҘFIc#D8G-7ǘVS`׀ "Uw ~D &ꨩ uud.@n*5˦o5cN^z\$g~a ^᷵{oݥQd!(j@l #pI1Ahu4%V^NL˨B|Q>wHu L`i(5$K{*evyO4o#8L*!£V!#xXB`뢤7mgbZ pUy])Pbca0(VU#Kh 0.qd9%~()w5 9UaF4i+kkTk?ac):q;Fv!4ɳt)}^RŮ|;ЍT,!}CѸ4&+(hk\H62}yNFƙ[ZZjZM{*Ï+#U)X@inLg;&%姬%tSɃ"9A) R0Ē&PpefSO~]Cp3N#.6++4o|0ͩc8Ϣ`GOn߱W"î<:^d P͝3Y+L`l:/Ʌ2HRx'k4!2"%BXq;T'Aqzo̵IPˣ7c2[? |MT!$X.0aoV-Δ.tDRD4`⏉"hfP~FV{ pk1 @*{> #K샛/>gV[el~ :C7t _DvRNB6WL@LtT㵤48}HC\A[Zo7@R]^T?ZM9H3Etk,`Pg>~\ǧJIk3$x8׉K oG1zp5< "LTknʍ䨕ȷj_Ef9>*3 \6j>+M3|  AL Tlr7)D,gyC<ʽ?\`Og7W6?, ,'&z+PC678п5c9(.(y鮇`I@OVz[0PbVo pb ~14WJ_B]p0?.ʪ8AEG2*r~:8sSHRO-I" Cm&<Ü8MmhTr- xN4ӗlOɖ\eeF#Qc4h]L{|% ^3|>Y 11~~X8/;!X9p`"z>6;p/Э%\L iA!R44|EȌ:T 'B5 JOɦL)?7mYՊbfg{`^"X Cݠ<F!Ǯb kb8p1~DHنn'sPofy9k{留sPsW¼ 4{A' Y>mzJDӇK D; #ID>~^^~!+adLXQ@|ALZ!rpfv.'rlzUlCR e]Gº|Yłcx[#"vHtX񤻤KGxDss(:̋C0)i4TBr6ko,bï|#'Xgn|JbeGR$2.0 D'%~H"=ly4(E6xqɈBlI M"WVmVI çz6!9R3I>l\5☧c;º^mu9ۡtk*d:UKVdV`3P0nd.*B**>ts)ZmY+oܼf6J |;EC"ө-*.n)x^HTVyP/)t>&fZ$z񦝻~_p$gYDRo8/\O,3Iݞ.aGIIi=9qr+^ ?dACo%2奬h%9Ye4u3۫RpH :JDLcz\=+odttͮa]!cl ʭ@ӣ/\BW'yg۵U"TO%1>?U$T0"Y(^fG`8O6CO)*k!<~a?{WSVk50\ @0"~)Dm 2{=cveibdիP{ayvfq2Ç 句g L%C{` Xkj^KYF-/o)gI/|UrY^(UP yDc$L=fvV6Ҁ[`e(w߅Gpa {F :-^*4)*_ޮ+hӵBLtdk7X*1Pp- $aGfJl˙~}qYP~H#YEnHYsQ>qTR6 b *!'Rȁ[D}OPߥ3y>*^ujOs04K*p#nj4Wơ!)tDޠ$X|(jVBeMoU7H+%wrn.~*E4jO&b R8Ӑݏ8YF<-nҙlseM+NAvˤR)Yl-bv_QX)-;(nȴ  _KiuywGs5MIΔ\Gh Ѧx`RVf5'&]]aqCX4貱G]1} Y >%|7^R q!= HRܨ-Iʪoo"R`V;.񆉻Z\aR0mç9D}yE08̅YL/]uQڿ }ޯ=8܅ķW[CW9bnuSNiqE.<|ːRs>VlِE~AB-3#KT_?'H`.ܼ#j|İO%M9\:E7g_ItݸP2*X"oxp;n&q߹TQ{i|wS,>FtRǾ,i'KW(VO`&d}Xݜb-LbObȺ%<274A5g?D|m^BJs+s2aFdjwy6~V7d4K^wo*m\s]rl״Mg.o---4P 74H˞7+.Cg62;Wd(|#j.sG*ɼ? I]ObI7ڣ#rSD㻓ƇӪ=yS^z|Om?CL |'M'N9H^5QIHyuИ<)vk(z>c>7=C^uo1OX >ȇAR\|p)$7PJq&(:HBfo봭MRTW?ş`t/=^(햎&Α}8/r,k_|:Z^0IU+jΞe/an^lX)4 Z8n՘cvKvm0fһ1T4ҽ.ƶ.+N.]`]zN$*x:xz`rٛǬriXY!$Wg؏#y@Ĩ߅E\y{U~ (Β^my-רRNΙˎ&kP =zr{C|V6T*;Xq"ˣ.06b8a1)tf,fw@3&A3q!7"20%oY>){T<5Rȟ ;悜 uԕ%z]'Nkר"UauI9U4Fn-MvZliJlPvmNu%/ץI@NjWIs}B!FӎSҏ#Ne~ I]` ɺ=b#4 Xp+z~:ϡ"z mt`h>Α3Hs*9ұқ&UgV!^*V.̑ȩ@28ӤM./ G}OŚ@g/_6A%Iq쒈T)6{,tJIF߁0 < iլOr+(0u1R̸Td;zL/sq䒶=נ(OkF!ZaNzQak^(b\UoH+#aVT/[6{9|"߀*B5v~𥏏'FENvyB:}1ADߧ45QΧ6<$eT2Xgh))l(ko髳ͮ%ץ8[lFc1`|>UJ(}%-a2kL(c^f6eq (Ўy&* )A1+u6$# `Jx+.ZNX Q[ N ? tQ~9kaxX ΠΑwk+r=}hDKJ'R](`W6N}j|U] 'o{:/Wc[:=\?0>_'K^.Z3Z[ v2Y۽YGI$tt.i4* I4EH0~x: :kAA/ @KV f;K"sFǜjTEyO&CO_0hR;lF$íY8 dg7^2*|f0J= J5E$18رa2?8 w Hu u / .a#D <~3~zi0:#bWUInk]Nؘ=4  Fi,ͽ#2{HFʫz{?u.ّt. v8a]-'7$pq=茠OxbgćI Jԑo 'qTc7.)SS(Pv~6,K[7dAcϫU+ex'IŖʬ[ p*J2uEFGٞ HY'}/ⴒŐ^xb0b -mi}*+U%o |Pݝs?>+7W&\wɔf@Yl!ld̉-$@#(͐IⰛ"PjŽ•<"{]!n#_֣w{$%]\ݰEمvY5ѩL6RzJ P̮CXl{΅ -P]vI8Bh BM0S{Yy U΂F^# ] >#_[ y)/QЄ#" j ,E6':hd#"gamo&Pv bܼͤEБVM31TAYxt s}4ozvUA!H4pn6e;+:I4;_L#-ָ U-HYI 2Ŗl̘qQނWO oF{[ig<0AH0A2IW> esiۥ +-Y)N!HޗJxZy/yAedQYT7P&ϐK˶h恜#o[[2^4@I ѨXǚ}>5+L8%:fh%Wұٍ *Lz)݂n}$Pgӆ˜;L.!]lԱ=׊ABM^7Â`!^JqQG P[I\i8/ NCך-ˍѴ?F0U_#,0^Cz,p P]k xA([,7X brMt"b]Š/ g%p)=gldƗnҜ&/jxf rEM#w.%Tդ0) !F_:} ,[uaTIlRAW>.sA&gr1mJ6pW?[ qcu>Y6Naٽ>k{EC+v$?SLI`bMKf6}7wp QFkvSqEAZØ 3܆u&vir e8g~(c< F^+ڎ:AR;5uzJ!O R,{ɠ5И#+ʩD@[RF d$\qAdy~L#5>L NRI =S̓_TP- %׬QIV%ʶb$%N7EE(յ3.rrMcIp$,Ȝ[M^uW J c/kd͇zƵӽ^n`k3{<#ݮܒosy.)YXN%R9T`L 쮚;s | 4Zb;g?ASUך-.'!* `Y>Bnﲉfa)V'| $R^5KY1nB0ǠY~}~yPDng鈗H KFݦFg,5Ad[G7at\NȩD>J75 bZqw G3N˴?ȁC!-i#+.R^tƎ߈O0C_K\2_iB0~6J(e҅#k{84d}Li%h(F?h}#~yv^s4) xђT>&.Xgr: -Y 3RE7`/Ⱦb(tPtqA}˙RPdC 'Kwt ZR#(_zL~3Lؽӟ`9i~m$?A"nR7j1YAcQ 7h'b3~j2*htmD-}6;=2idJ~\1[{<֪,^KFsbIVRCQaGU j1C>ۺ1I{9Yi;M}p|6uaբIm'CqĞSo'jø7&+Az&yE+ #IfQa :0R8|.cg#\ aAiSA,wZVCK҆q=Fsu0>|^v%դ*.Fv%"*CgW3%g47}hϾ~XqljXi ˾$辶sulFTDa ा*hA+RfKOYy"BG,Q;Ioo5S=9^00G3p>:>^G%(7-n&*1pilGLA/Šlӣ5]۸4K'9{S1<1 &SQユ" m7ןqC, nбq(ɠxr&+5GG?Vu&HBӿt/RdyΎ[Zp"Qeh1!7alk i|Ohmmè4N<HĢyC^u('s*l:+Y)Ž,Oơ7?/3!MUT8- RLax`NJUr;tB`J_#g[Wi뢎|!vs\,XG%tQMB1>\B Jx@5Qϯ3Vrȏ 9|mQ/+ؔCIf.rHYGOcq?3 ۪Xze0,6L Y\E;JC[)\hN\У+Qt 4epf Βe>hFk݋:I^ᑧ?zx 3&~Soq;pI˕{ Mc@xD_zInn¯0&\ j\&mJ&O=sMb>3;b~f(vYѳ.:h ˠK)}aףl!2LM.{ 3Gm@7D`iTOȵticmx%lN]H/ĵ>]~'Ax֘>r-W_D-_ 6Z;-)hpG/SƓnHꙮ@a 8=F5_вA ߁ݑ2gDgF;K{O MWiKD2L 2UlsJIf?.kq4Hǰ\A].+cѻU`ȯ$*WRJ^+Cڛ\SηtqyR |V>#fn(>Dſoy \ZޜnRUԿ^yQ2OC-{Znh3Smѵz(5 Uۤ>Og5րg8<%9Dzϑ K|-%Qn>81:NJf,?)5/E;\{^1pHњ{ Q}& U'#.f^:wkga>҆L[۞YGC/17IT3A\5~8lI)Z-a;π~lHOZKU&cg?e|:R.T?xůvMHp=M38;],'l?L҆?]]:DK9>j&E< #u_LAKx!;qIX5uSwD a>/`(GqaP)XdSH8?2R.{e?e[7O焯O3jpU_d![d<*XAkQޢ7]osy!Hs4܉x_ոV ^ڊv{C_L_b箱jba\qxN+@$kʹŢg7 xr9p\}y80:AUZi]QV4kN\PN =h=IkakpP`.V@[`mVӎM~kyc_LP%r TO>h}aĹ \:kP+TPެ=Nmd%dsQ@|+6%wZgxdqد`g/z дOh}lRqӇ \#Xe50GT2['znlgYqIhHl'{ L=r/w"),n !B2çxGh~R5hOuK"ueJ3ܑ/ֱَpq8Ԡ=䄃D} p@,Lr*J)#2}|з4gωOJ`RBK:]1zB9.I #XQeֽQ=F",)âzfۂ6ʊ %f~drO# `13Am74/BOpP=A=3Ɣ`x xĽ+k!WFBi(,[gqVj|ꙴo-RªVWtJzf?i:-+4~P7U¬}0+E9=%WB;R^8#ÖL7\jfmYnWԣ~ќbs"~NgD8j:+_߬< ]oIě0_;+6Xvᄜc*1!rD3L=뀸Hyko*ĵ^ׄ@8 a";"Q)O'jk촭aș^d 0MߕZ&T2*!AN50WjlBF:TlD $n,vql-P6SP$bJ+^DYGHị-Ծ%֖8CtµrڎAٺknf=&G$7U[? Eba_@jѝ"a0N9ijcE0C-[zLH>g3~3$  I<_njrQT̚ `_1G]x2XIDz>!r=9&_;$aN!M 9x}*]G;l",|*B1L26^O\^n`8KD-`eȚ)H51`X`v"%n$!珵5!MxɼjOvIsTK6Iށ9GyU+W~U?[oL2,/I l[LxCQjOAK -]k܉{K)||lv"!R:pKoNK)0[!_$ӃEXݤfWJ]P uQpeh=uiotH{I(- F%y~725`YG1iQ]M8{:W5!e{?0iO"ϙ-tJ#!dKK7 GϥBCDNi5翡H' Xj"a)?~<^#)y!N_Ώ:߼*XYL+ݏv֋ovDW`xݫÒD6_`ma6P|_|J0qW25Jr*:=o{V1A/Ohe`WNCn9/wt?[ɭ>Aj?kbTKJ胴{T) Pؼ`C%5١gFD k'jq}g){v*(DbFw҇rOS~qW|򕹧i^E~Mژ6*sѿ*5O?yU / L6qi#g.)J\piSezNgdtz%I¡-W`bT&Ur [o+V/E\\x[KO\P17 ?th nI*Mi{<qHΓ&MVD")ڻFV"S~_% qsXӢ[gmO!ZIAo 6B(J:!֚>GzWO DӠKD2x@gqg?ϻrTLl*kR* I_<*'=rU4&u{H6T{3~tOL6HQ580&N1(&*"oF5##/a(ڬАXoLox,fI^HQQ`O۠+; m!/6$|2tSF־fW%N 9QLؽ1y,'mSYh:Զ I~4T#2-.9tLPM*;[҆oS&.0]NLjsd{"vX}^2ڙ=PK7DQueDR_C*:Ҏ8S%)B)ڈWam}ڰ}Y(60H?3@\ Kh[0fB!WN8_ 6$w zjn3! <~qE(}L4Yv4Qlnf>׮6Mb,GI[Ih! A!y6[`q7~3p6ɞ\v*zqcGࢻ[ yBuB_†kVq~kbѬ>F0m"δ8Ԣ}ײ}UaT@w3iD _) SFy4- @SVWvF{?1 P*Ļ_ RC]+!se{piMmUD3db~ݣm6=mzub#qVT:CZ7lr b lH\ bWTw@[_%w  =F ̗R4Y䬻 ƞ}LnWuN[ԟR<4s:p}mmы{ޠp=>(qA?H} ڳ%D?^v,N$DKmA1ZC+3(Kaʭsz)eygG1n[ܯYLOYk҅h^)0Kqqgh ޢ!A((y[ j Ԭ4ٷ}(vJQƃCEI%lo mJ}i^ƶ!hc \ 0VN6ws, 3u+`"R:g$K-ؐ/q?Rb6PfjPCl[*^E>xI񼎏%0$kANt)+"Nқ~[1\ tyQ1xYT%4i?qUE3Lѩ&ֹD觎MfڢHh@U#BWr>\?F2&gZH5M0ClB0 C"HDԪi+ÑRMIc\TF>]#̖V^~zQ@ iԲNl3r9i 5^Wsp(T@k:q}c?.9{Ѹ>FD|=k.>Eu,>8nJɕ*8b+fӲsnH5VA7t|g1&J˔.1&F* wWgbCE2 'bKUt2"P<̆a,̈́^rľBj[D#;Tui*:G"{(Q۠vY]SS&c9*ɑ z˖Oق:B+Љ9!$:5J@Qò=5שIf3FՇ*|N Am"8LkPG'"lTipaR{hhR wJ ~v^;L.f*HlP `n҅qff/ !5f{Mwc&{;+T4D!M\pCzN'ԣIr< (PAثElb {kޤۖ :qU A3Xۃ,{َI 5)T!Mr%k T#&1sx>q)+VP[RB͆}bRj=!g)E=BuRC+EǷVxύyOr$dE{-E$ѥ{ S(7Ul&Sb7ތɜdL㕪j tu@#bMNރ_I.dP*7̋d}NoC/x3#6SZ =]l/*ug::7UꂁLyP7OTCGJI4݋T=ы782vy"0GfC,Q6L)'GiV]./(t/g1rtf՚ r~Hb` ZrDT J]ġ*a^XuL jk4ݚg$1ՇaTo Sٜ; ߆}w-o^ĉH3/³=' #9VW8jѦ•wuۏy ?Pi#>,a,b @^#4]q uxJU0 #Y8S= y4Z)p_NM),<嶴FODXm'Z~!3gX3b" /w7n!qw•!H-vܩ!`EM3Ѥ']hCl?bSW0L/[p5;^5oec'XOog%5;X-2f@lLueV%)w,_םFm]DB"m='u톺z)uq:Gi<5m("'`-K~'Mqx%֧cogx|F {խ6:N0;])]R#*(#CAҘM?XO \(ia>/9Y{u(dO+dPa}3J4RFqkB͊sYk_t"d/sxֿu TE!Ɖضx>^ g#]Fo9 SKY4GpK,6~:}YNX95ݬ{51=ʈ# =iKeĀNG;q-bOWPx8h5 Djl]eKtQ.dO͚DOczlrCSZQ-ypPǜUJX಴XϮUUeRo~B 4B:_T~#(G53aAIԷLY}4AlizƊFeȍtV7e% 3~I|f>6>sS)CA$bsP&\EXU'Gt@0z ~PD!Ȝ9tYeG/ze=6. ;[Dj jg~UgݳzmTna+B Rqn-'Q}QLd'TZJSsȼJ~YNy- oF1 tB $# 9ћJ5MB(p81ifb4{o59a]LwHI9Lv,.A>!c#8fd8v_h[U/(SYQjA|-|:@,7 Kg\^ Ԡmezα8D^[Ԁ4]=8b쩱|ˢL_ΏYiM}$`GZD,I/Z$lh(t ޕ{A{4%Z "`qv T|+\*fL'w- ȫ] |Mn̸J4Y 2elOf9l4S(F1t~_,;:˜IW%Qg]x]~g,[fk?2fД(l[ndk^*h I %j0^_gJr@.FY/<)V^>'.\XV /E22&6A`J3#4V!ofFM;&nqow- oMܿ$qӕm{|^-s]/޳A݉a"4T`/NVa#Y. sV`ɞW؂EԁF2cv%D)grӶ}T6V*-"'(4eQ8åo1C2>7COIGmX%rLJ*#((/b2`ܔy8UڜLQ#[Uxxh\Dw;l;!1w+L KʿF >,t 7PsnnZ0koΗ iwY++G)a9:хUfΚV%8F]t.+*P YVGh% JOv ׹ nZՖvVy0=#ӽ쓪¯i_ D'cBJ}: & \ >X!pދr B+\i7&BvjwsMb6l04Xg}SS&n{Tx%@s"n+)y8d/'ŷ:tRt/#|RE¢PR-MmZ o"OB|6&ܓ Pr3 vͳ7 |']Ni"1`W:C muHsy}y"JKfQd7SK;3vdкTBNnFJ$J7kEH#bήG^+[ZijE1 lTp+bm2?<AW[BQwO^e Jx0BCoxH㼲%*eɗީkq̲O&Y٫<հ$ZLQv]}!Y/_a /be4mcA!V=m. "ocsDE k!WΫ QCzI ߈ ̲DSe } |$lOhY}2Ɨ42#i ,xqN_y`8DA=~|ƨrU@?Ҩ@`\`VHWPk MV}/>df2Ssr9H3,0t `v'_cqM?'Z˸( ?w=ȌuOPS EXOfWN^CIwc^(qO0bQ3#^q-/_4/sBúsO'Mbj~`5ܡBr?I<za4 meYW_QcPb.3%zdYdF|wVӪBeHr?iLrȑς01Rh WḂx( ֶzzdghz;̰ ; xc#&1[(74k0j> `e;3 RhQs~gt ΚZLO1K.@V:Fm \ o*)f/,LL9$ի\D8=8rEinЀI¨IQv7t2} @ fHtUD 1@ Z8!~9uo5:b K(cl{ùc3$1 Km,?踠-ŀ0] #t[m * ؛M@9x9.-NQ`}PyB֎#?W95J|y2Y#k"YK56Jxգ¶N1(sVqgi>\|Nv)T*br={A|S`JVi({\.b5<| *]圢\)$͇ɧƒ3*`iuo@h8^TTwsVx́~9jj}9vJ^!$Cfbʔ$JCq5<%؁"}yFBJsrC3머Ʊt񢊧솳2NNQ^tJMn12SyRNB#v\lX 740o7nL-8WM-Y$?KP vγh B܌R=f(cGMOQ^@Œ}ʠ`K&=$S*^1vUP}Ɖ~w >hЮL V֐\! RuP瑍_W}{O6'u!c;(Y< LqHq'L1]Tr_s%7to"/F^_m_O6:7uԓ#S-pd0d`ًxVENܗdKiMZיz~2FQye閘1k&=E8^dxV~h?XWʁDYoH幛jddq dD z~F5NH:-\رQ*9)#8jnRX#|R ?5שbz"g[0)^KjxFf_rW)۩2܍jK~B|(Ϊa~ఖ7q'Թ$"XȺl_{NS0PTO*` жF)f7"uM5#Scσ6 4?^j!,#k+YK(ѿ_gظILI-yK,{߰}Mt X0@-s =; Ȝ,1$~#vp~5wA2$VE Rө2|HKY =X#E9ZNǟ'϶7FJQ"6xԑq>!h*1MG(vI‡D*mE]K;ΛuĉoL7/"LL5~bMw؉j(,* 6q[Џ5,s@f qu)Y$@+{[GIXA.}} JgHEr=W_ (M5(M W/!X\m &K͗/~tAym("wqp!q-lX<ARd:g`]5.رF(2늻%ڕjRդv 3 *$ H_I p4? uB <ѽ?IySI]|?%/\+#Y=Զ/Q&t|mte0*-$hsܚz+˰+"pPK%"?p!>*ySp'ɏ՟-Ŷ Qz~fi%fޣ>I1r?P4jm\stKJζ|2~,a^q+!]j̥KPnv5Ǫ|7OzrNKۓ*$gܰ HZ-k)^ЧR%c5[CPFbdl'([~˔j̚B]%5}db:0j0\Ř[wI@Tl ߾n, Z v5AS6SK=ongusԐfyO?ɒp(8elt545QW'ҀOuFd$MڱOS㈀)QNߗ-ziIZHD'cdVRRzqA+4jg+KB𦶍72j">HXnk4;W#.e`9*d;qqFw^,&܈Nj@#yF5fY.=*NNO4 x$o3sVE/Վcؒt9dIh&Ϸ3=bԃ8Bߊ(ȉEæ"bKwa>LQBMt';j>zC~):}I,|vK(2~$+&Xjo>Yl<DᖖC!o*{z+`[Qma9S]P(?Xq7 #h?~H>g (muWnb?W¯lp֑ΜDzetDľ)$*&C-"߿(xӘӐ< :< eۇKGoj+a!@LѶ},v#KR#Sk*tJ"(4DNqfc0\E7Ҽ؊qZSvɕYgJ:>yQcQL|~jp\'Ƌi=^v/\nQ#.&}zV<޽븾C~G9`UJ߈2 r#dTȅ^J!R:=]{UdK0s:]az]_c9^~tA#C:Ǭb2:aGYZ,hfV΄m|ezI8itLqՂ޷!1T0Ra;MN5CME7%p Zg@W @$_m=u8zf$hrQ{ۏvh\CCٙ(:n y$xᣪ-r++VrN]7ߗIÔQ%q0E#վYMzku~'3eMڤcClPY qhՑΌgu}> R86`^LGv"ΖRkbP%vˁZ7ߟ auAɺrl̨z$ƞ&E2̱֚8Qm/e ~ /}vLfGJ7Z̻=ݎ2 M,7HF8/[\:~'R ?ԟyufĭ{H^}ʁo;Buxx2'an&:VQW>pR*p#g#3PG*;Go:55?fi”6-=W D /_Z9A,`=g'Nrn> Z]S4 {(re{({ [~':2xAI&Z{+6Gogt Ҵϥߌ||xki"B^\{*G$]ͅ%ϖkOV`&P5`)°<|?mB(E;,4H%0ŪA;/ۣ0ɶɃ'gZʏ'{ŊO155d6aG)CGG).H:DSEu';~w2BF-9/&4OzVIDr come⾒UtY^891Q;]U$botb4́ufjNE/(PhbO/#ը2ltT{ߊUw&5'?2q%Be(DQ1h@N?`,v.({GTcjyӮ17,|&jd~dAzj2޺DI#GHw`lB 6 [̐$j:JѼx !Ue;HsbU:WE e y>wVyCd#4VύM~NµB|L=$7%alD+3>`}T9R'" }"G1-+&NOvɓ Ɩ9UK]OMƧ#v;.@A8&t@̯lAvȺA:\}"8V݁`uLx%u> zNTWnV]HZ͙X! *.)^InQIXMj|#K8%3k(,sY7֓IY N+AmڀybHv`my-ٍ.y !25B %V$7%iD\ZR Nm{&$VjgF,Q/WR~[Қw—Sy2x_B%z|#qq;ŘO !G_gʒ]w'w"[˪t,(A_o0IB=||o,+3ېʪkv~3Lְ4՝.C󠧲~Ьzx, սJ(㐩t_\ʢlY+!+?4@qShEY3'7c1\4 YW/H77Țһ*v^cӉ[8Us fdYԃDbHxNr=4aԡOFhs=DR N㑀: k: ̢Ni9"YPf&~yTJv )'Xn'+6;MZ{6c go~PҗD"6u>-UZ\C=!M4s%|H?>8)dm&(D?*ǹĴS' 48҂A!ŭg.8 !f0MY8>$}/v+4Zd8"#BܿSP_͕aδ,Mv(_?)bbbĹU“ L?Eԅo B-h)qfF7nU =J2DKCӅxq#56:( 4l݊1۔@7F[%dUgV94U_k$\a~;uXIKי-xlQb!Z,A-R7mNo !@ܲ''L\@GwA ޡE򾉈Fy8Ns- iRQ\9|ϛi<&5D<&vqJ&\"VًNӝ˘!~ l4`.ȳ/Mvwkvd,zoilb5/$Dt&,Lv n8q4|yDc6rW}}-(/x_yg6b7ݲmcP2΁pU|ֳ;V'#Wx( _wܸWinZL 9AaS ZsQ@-khp^wx-poοT`#3-f5 [8IQúKs"k\[d`'M †J VA컭9+}ḽ&;@I;^7~IV=,653h#f`%#:|[lIV0*-~ZI{Fl8&]C*UUUlHtN?[GtBnW> ٬3ȬL=tHHɚ5␗.;wrIE ˸'oo#6TrNUhIV,8yF( S2= 8OTZlc#v Mq<%k/JW O^NZNon$|jQOBLH:<Ԁ +j~?5YTpaKatD Kæݼ4L^ Ws$%- `be!FKZ{"!wkxC[Goja -GV8kuScqBgƣ<8#@l3tϭ*q*رLkC@dW>eRd4*e_' 6(9P34|)p#jK[N+%KVC%dž$Բ\IIro_p 7C 4$(PM/V&RAY8KH|#ؕ*ag/kӞ4ά0g C9nI| wHSyX!⏙._h5>j%o_=oM1= yf*[`o7H$`z_ws9e(K)n5p4*):52yV]"Fľy[Gū:uuhF?x̊;{?`}ZJQ7߻ocKI>b ;i: GO2D{83>X5q]A/䎲㳇~6}ACQ;pJZ&i8hSi^azR"i7ER{3KP,c: ΖyZgMȜr=(ی'ztAawBJ._8\/( h(]!ƎC4H19 _v+ۂ"f Vo.:ǧs9Q#h?Lo~+Ut/sNON`͜Ӌ'?߅^֮#[Aw{JM g>뚵c<3oF(s!)mp#νj^~+NDco0VLK☪P2&o1SUyHm, ׀|?>@yR%1Eu:CtEQۉ8@P- ^NzG*y#⌃e8q$ylHJI_q}Jrd5x?^Vian* F-nfd[K `^}:ia8լ`rghpra2 7Tp-C]ω2s7CX*hG%OpBСƠ׳ylݪw=N`59 z ZCx'Grzi!ɐVsl'- aw2%Iā3(4 + v|-n/bn AΑߍVn[uT';Z%dC63y-2]f.M8'whb68AQq⛶"| 91[Fu1<ty'>^Md]dZ#r1›}z7T:n&X㪣|J0z0O@(ޓmwAJ&Oo`殙KNt2$'YG`/ tCӒм;7WO1xh#ց~PSި G6f笱_)di‚`BDhrS1EaDRMq9*nfNVe?b #1RkfkkE+,`p7.hF,PgDtiى}iL'aB[I+- ԱD%[,1|?SHpDevXTSphR ]*@/-2, {b닽[m)8'f@̡X׃,w?⦉ 3{Nn=>Cbd乯y,8!Hw.'~_x LYM"o`*mEL;3zfd+e/ÓOy[ago}r`US68g4/@7|ɍh#?_קBǙY%ӷi=YLh?8euf}ڝɰ}9O~GBY;ῐ,J[2=ci+ӥjxOÚZSο3ύhe;VE -Z7F3z9^5!?$&p YhnSi: `*!BR׿>E6iwe enڹ9HL9B6GˆyDžNMT2Ƞ(=6Rvdv^`!`2|jUy±#Z)tKq)NAG5a|c.(0U!TI\5uBenO%'@)О;0&M0Ej/vh!aR$<@0kZ*M]w,5o]- n 57Xeӄl{X ZaЎ K1E[dWoі5TXa{Z"=z6X--Y#=P; '^^SL%$(x`6B5rvgT劕˶6%la~ s{ >L0Ӫ5oۮrDVⵉˏeze@|Bg!Fb~]{9 /$J] NE&~eJu6I!I/;̜A{ꬉЪG聤mIN pӑ ̦ Io-f5փ-cnœ3$8-<`?uvLQl{n#swT%_F% >(Y6P4ChV9T)*GA Q^pOOn?lIUki SH9lЗς^+DdAdW,P$YIǚ2 'HzX։t^ YK!|u\d;"Y/*`5![+Pnk]U\™]Cf1/) AQ71gmžDW4ڰ[OQdK岱K53&6_qHĺ([2g Qv<&e1vd\TQⵣT?# YBBv i[r\w{I%G9jF0tPL ʼ ѣ){! Yρ]^-!cyMlѿ(2qЙæP޴c}>%Ū9<#iQԞ ;&YCg[l~p+z 12Dfn\uuƴt`Q9Zȝ`'!} +oA/wxAcmb1FL DCI(ԊfסNow(do4`i]_%e)k;3Cy}뽳)3?n#}hl 'T3 $}G,{_<'6%.ܹ ÙbPʨ|Hjb/8 d̕:>uz0y^j{ęܛwN2rU?GLҶlAƅ[.{8c^I/+-v&ìL@ /;Js[^`Rr> -tOH;/AWϔ=\3kqbTAF/=+)O1eY&#d<{c<{} TZ6,W\M E sg>m|a;%hns Tz+#^S|IVe(i(0#N@xoo [~SN4͑p%f|ڏ|"&AK{0|;5qks ȋ9@WD:KuBa5WiBA$:*d`X-+ NIp;.47g% v$z@`LTO)obg/#EXru:wD2﷏l5#M-tx&ZP8Iհ f#~ r`ļo!*d l桿'* <1)ܸdžc߼rٍ~T̺Wݨ~脢GtZ2"H_V(g b5LU4GW*N?^3BO> {o" P-9„nfm)uvx۾@F m' wvVJ4Vb?ő= e 9~SI:7=A˚zk >S!==@7`"N{WAkwŞ倆5P`A4IbTqjG1W}UjE,ij->Rf4e!nuT8VHyQcdr65]PxDtsޏQnsWX=wPO&iOIlݰaW!<4&҈ҵ|pP&Os C )|N7{[wCb{W}6ǩ } e`ݠfts1~'g{}wE1S%ynZJ59;N8ސ'$/E#i Xb ЊWs6PW 6$ϕ{r-y mr YhX/VEQFt бo4(60u_)h]oRR,( s\<ԕ]pv e_Hy/񚍇Q [*jD߄ZD4trou/#Zs o`%OA[`#p3)b+X }F_g#gQ_'ئO,^ 0vQ<*g;⧜e;[]G1_d TyW^[R'@!|*3h$s%H@,%C?|Wׅ\A5 c պ#5.~)D#I6Y[-Bnd ߇t;-chkw! U@r1t]hںa~j~"8w1 Q8d+nDHGyʻQyбO%pu-K$mծ rf`n eUYa\LݜPBt/[SJxHٱ Ֆfck O9hK 7‡ֺaLZg7 c;c DF Q6ƭYǍ}Q-@Mb~QgkD,5N F1@<- [uYJ%З@V&_r}{?/՛[/@QWS,@D;hhP!Bӧ$Xg?]8 ~,)\9?6W9QSe90GWXȠi) ^#t;dGȖЩ~ܹEoYdB;&K%@yLu4IŠqHbtrĸTJI'NCOfxmJ,+&e pƐg^?|@hzu jT 6jy?'Wl*!᳊Wi2t9h|qfE31T@|I8wĴbd goi _dx,kaȺ9_=PJ2h37O[펳ŀ@@mZz{p%\Br5+YI'dz`ES8 iɒxBM<_s{ a*äF=Inv(qu $$9^h׈}'04r&KӇ4Pq% T]eU^ 1~ ז?,OHL.-o-x6ǝ8Xe {;Fa8:Kؔ`aevΠP!9sϨiV5H+Qv \$[7Œﮅ+E|ovsH!/;9;HfWiϝ+0w 8wӞ*EZf:Q?*~Љ tTh;98^yn2s[`gzmX8ߩKfҵ.Hy7rvãG2Bޅ/14j3 !l[fC.`b.I5<ïTޜ .wGW72gSj8$ˈO6S2tdr^{Iq@P2ݢTfs`I6׿ lH:@xC0unڿ|2R=f" fA^yN+JIZƄ˭WjKUBqZ˘FY*a*a=jT%6ؤ+ שrz²=MqjU9t8PR(҂_Nh>ԛu[O怙eLdu ]:mMNPq%7_Gcb 'Զnz8}qT$qz@<6Z}&$&rAk%mok :?6F,// +KHvh6GS_xwQ7qQYKBt69键HGQUg,Kau\w?GcX<.*QpwjzepHLI+QBLHiR5.Y VFO5qXhL 3C(ai*^Oıdӻݽ`L Z}z= n=Uh?l!j"5Pqt #R,*>JOJ|4UOǭ%H1GBrf`ki1?*}~iR OkUoQ~P3 մ99H  \4>mLq 9"%_- 7E8*u*>khN|,xVDf%g?'y,LJ@ _e|T璔APM] p{0ӞmtJ'7*$Biddm5!J) \Mչ:fw4 wWߪ:B(g@i8ko'` fj= &DS{QJ`ºlR`MjzA\anvswȷbMW&4 %6 vI<8QL1bj(V=<(eLo3.U!0}X[~Du+e]de>OkF.jk> Hjc5_vekT:0XFzqMDdB霭AD?fa+Qg<|DtJ} qgDxA񎞋g5o{Sφy"V9M)K?qi8XCӶ9t'+f~? ( ֮.Pq:H@-O#&|D;_ĩɩy܄ RcI*{fN\z19+\aΫZ󲗳Y5Fl"jj ˦,kN;7 HP(t'v$~}07rٮ yU5ey>=);x<8@72}M BTv/*eՑhޮq_cg縒B:;D6%/ 3δoP'Gofg6&Nn ]_ܙNB)ꇥiË%`v~Z C%OO&9H=ҽ**@2;c`o쎙Щy,UCʾtHrg9xX*DAHQg?$"kQ][ #MTL*1weF1t1n,q`]~|CwccS Я" %SVցxX}6m^B P=OOՓlfz{{34lo!rrC{XRj:5wYFDeҋ`p{`Kެ$A !/'&E; a)y1\ˆ&ߎըGQLMXޙ\m>KU05m%&PWri-kMq9l t ^@4IZnzrbBDT a|{W(*HkejafI#]lҎh\q0mǛ&a0CL8ߊ*-؛k.J²7l=sPO7Xɏ /&a ВL0[}OjmyL0)% ,yB@_Յb/ZO 3?G`3F'] G(`"0*p}TZ=Z%3LA>-n`R*Ab'~!j m\({>i lCYP+~'W'M[ZVED9.sÔk-sK%b5YxtF@ `UC ;"fucg4&(to1ݓyV$es`B#5<(O sՆ L-b'bSVa[L Vq[Ӿci=xefkF3e2Y$ݏT嵸Z8GosaV" oC;>'Fx@a&ë*:vʫ "sy<]XlkyŃ ;LԈ>Ar ZqpvV*Å3e*'{4-_D^#TDgeݩ=Yh51z96Ի# wP# PѰWfG!U~;cM[eR*؋3Tt# )|{puQOZC.2{j2y<&>%Hڠhe{V*"k.0qc 0W?7{O͇w+6bB{$Pfn(J:-FĵT#QK y- ~>IZ)IXp 6 \9h)DQ/ {7 ?/VVidTy.g XhRTAeݰثL;Q!,%s"-K?ϴ-!U 򢉴*%~YF v{~$-{ σli/G*z ¬X'Pr> {Twĝ8*zkǔCu>,]Q6I Xn%|<[xr&¾V9TUjF#gpv=zC RbbVUl.]/v 1+1 { [l7d~ӓm#g& 9ikd&}:1Rr3;5[(DP8=R܅]#_k7`$=<q%a$+nf']=QaعBǗ8dwץ;/%!iC0w^,@>pe( iEq~HBB~"V&_+|h1*kRic@;N}BsasԙB]}uix Gq &Xtླf.(v.f)Bˏ\!^UkzӼ>ƒDzcc܋<91^[^ mS{ksi v}ݹR&Bh CAf, 4`d;4@&M>X'i1djBp(wBG`6PYkKc#FHjgnUĿTR>=:=_>_\Xe": =}NoABo9sE^~28/c ~_S !_Y\jq-}fNWP3t0Q#({;".x[UO] h}5c|nTBLA-19 h)13R٥9^sryx<8s^/ 4>MAZcEOL~ꛄ5VOVfx{Br?*u+.N S Чϼ.zyobZoUauL]Ah߳{Xr)B7'vPdHb?IonFB 5hrk[4RmǬQ[ӪkۂJb!^Upe]bJYd{JR9 ^ƸyJeB4lμrmfr: D_ā2ZMܫ{_mwF#u:+\ *Sx.A_nT螟3EF{) jԥ] ""C#kuP4X 0c3'/,|,& m=Lk$d gB0 \r >qYhdWm|[̽/ĽmKmNV3NXu]ι#(v[+h(:>+_F:N?"ݒw{$T(^d]G}T1;߉mE gcEx&P~^o2@jTc}؟S[- ~plJ3ν$c-ȫ]{&< ݲT%dOJT8hQ;>Bj< {(4jƝ! 1x֛iQ`F.rH`d!BND~ٙLnJ\SQc "Hm6aFfE-lcx6 gq~}:| R)@ܘTْl6df+y# [Wtk~~vrzC~VB\"YWOw <_X]0!rJ }E6 #v#S;m[IS>Pllc6'ig?0LcO.f9kk,xԳBoc%D%S1N./v#]VaG=P O ?7qޘvWd.[O'H m96oh v M䦄٣{@u~;Gkf28W<ߥ=J(u*Ł lh7mS9N>̥G~*ՀW# bWmai"B0"ᑯS0 +i:Nݘ &j`ƺQ SO4 1Ȟޣ;E R(1M ]NkTazȳά,?ZQu$i}:dΈH,}Kx/_q,ON{v71hn3DGAu%T#K{x?Ip Q;3TB NݫRsNJT;z8Tta<|j.n&KԄwN=j tlXK"0>6*M*ie2+zIB1C3g3UcYt v 11c)AZ=c@3i|ß ''XiuVUt$(j ,dykSj_HޙZc4M+ F7_@1hm'ƂG7ZprjRV"v(D][wcLn,6ˮT"y@cP6ZM y-4^Hi9Y-$s:2L ? 7. 2c[)xI7?*2?\{qzs bʝt6\kZ-WļۈmI~qv5)OɢTMY wh9G\ž@9 :TZhtܗ:sy.jT3bWA|-1 a@6ԵT4ۯHHr%s.j>sLR"%uDPx)l H/)%1ץSYzb("m,pjuf_kJI%(Әp`?Q:+ s!<ǟ8a'Dg_"KtQsO 5AeDrfONtGs$BK6 ҃@g2q#T^o]nQQ4(Z!UQKpHvumKoU1%\ߒDpJ ΋,vdvP@\tjHm`O쾣*=\PDi${$:ƍ:jMLVhK鲽y$g0X/Xl~lBe1㥇R\D9b/24b {?kX]hFkGWfjCEA{3C> ^PDžXAeӟWr]e'1d|Q-CX&_roKo߮;Xoَc֑Jl;k_Gw\4x$[ O>ZRx0{~=J>j'HÁ 81sJ(G_Θb#T߼bckbJŌr|Ho,^LxriYsvɻIȨדΖ, ~fPJݩxKcSz,Tq#Ln\ mvl[ҕ8u͂.lU31|KѤ@ =s R gb:Q#> R>E' ^Pwݑ!pe(fӧwZ3Ei922`O1RHiP6>w)q%wڒ6-gˆ߇ne{NF񕿢)8>gKzv/o xEJzJ_Pxs矫!wbZ1V+CC7jGi! 8vmqz#ZUE3gow>7q"X>]kSHlMY{EI3b"ɺq}r@$xb Ьmc,nj RqKIzT\4<+Wqshwۮ1~G tYQϲ e(Ti;|1.;$bp$(b$]sW5F_b]e84,*2IAO+* =T$E"ؾ;ɥX!^1l^? rnt[K# #p<"3)2}zĄs&Ǔ3\kA+8oH蛬"҈Eq2 Y5wk]Sp}{Ĩ@f‚ :8?Y9ބ ߔr^;effhkw]D8'*1,@h.#}eNb'`qVzk\O8""ڟ*dxN[6x2xb\O]A59[VLo,K yº`jb cj苌@BN2]G()qEOF9:xDvKIahH!Lw%Ҷ"|􌫤\c=*m߽3#R(L+ K *KZ _ VvZH8Xc;A1>rt"S"$wՄ-6GT/ 5#8Ϸ96/-Y%Xݞ.JgL3ݜA;1i;Uo׿CyvP~o mJ:!sis#/0ta|/U&5{݆1Kh[KdP:Tc*A̬u& Fq[ mvN֗ 0E8}&ԈRƗB UdhSs![UH*~1 ۺ` **A<G.ª狼sF^L<"lT >WSo ]/D Hx&XiV'D`3Tbp%lԄ;F7T_\iKؐV0`fnN(a99@šoC 嫣쒕rQ+5 .[ S< .p/B\{^}.K N?04.-x,XYN# `[unmVH1j1nSdGVxZlk~kx}K_Z ֒@7Ӎ,R9c:gS !z~@Y0m:oI\"K9:"MQű؅OGaoqc)cX uRıyz3[ _zXs밉"[.|X# +:=P}8>jz!)"kz:є;BjLu͌޴Iy g6l9];G?s GM> B۱.Nj ,Ԑ ?xu xd+K̚\{=sD_;@k|2hFk4P65ekT8*B!ƌg--VN^D7n>) P&hZݡRZFD-ʑz1񟓂lIsf-9'9B`hhF2;*+Q'ٯH[dAgaP7{hZ{ؐ,QBw/91wɶX?އ> lj-ZV^f (d71OcH55bҏ\V*1n|H㈟}9EYW/tr{pT$]aP,;w#2 F?tk%>u7rn3 Ї8i:;5_ͪ3-?SZWZz:Zl܁ ^aɠ }4rnZ^y|шUs1;}+VCF5q6_6/EN0=FX5#/djXm,ұ\Tf}sb Tc.%<:lW6Lxsday1Ƹ CrwC+)&]CIYEy]K,Fr{cmL>?{C܍]Ŧ8 đĶBA^7 *O!l3b NǶdnIB振> ˬeӵnpu*N=t3Bfe1n] gvQO^*9 Ȣy5˙.NuiO߁dʪqg_9tON!'"5kL%jkFf)f_pg4L"|VI˘KR i|Uz?V0k;V&E1T+w3<q IۦQOH=6iapOy2w<4+[2jy\@d %&Œf:6DT0GCz#w֐@~&1BidnYg=,\¸TQrp>θ_5^v2YENLju`*8>Hm7Ϛi$QG=йΔ@uu*^D]rOuU(o<-ͿWWznG HzBTF{z7 _8-<{,"ONXr6]Sf'xE2X~%]|Dx![qn"s1.:F/훚O@x87*\F}j507th*43? r`^ȕ53eMH}cïF@cIGeQJc%k Kc5|vu82g:9xNA< -} 9D Jʶi#E TEN(.Io_ f$4e`S^>f:n朰$N M jø(g{gRFpr13M UoMa;sb'fM⌏&O@wv(qJz1'#&g;^2ȀЭ4[0[A&ո$9Mqæ|TX SˡCŊJ^2<䱓]h5~|dMћth<\-5~u 1OmNqPb2K׫ 0Q6%70ӱ g*+#W~V}z?H+c5qyɦA Ycܙ%U1RB˗ /I_w}INNgKW\"'Ze:;NCuMתr~dP,n$\څ:EdT6=A<)}Q읷ڃNwTf^ţiɕQSLt})i n+a|Ęnpw7)<' iRxo;~ADJޟqgEژyTgMQB8o:P3 ,>U"ϊ֫S2U+@}4h-ĒLbRei?O͏da3r7'}.&ɔ;|{X1d1fwA b/-\JƬkIn|׾X&S]Y Єk`p0I~7P {]Dh !^`cgJ`q܋ 1v]VOo[+[ [G?vUwDgғ3<'p8}2<E bzm'FWr2.$+MCsadp zW_U-/≑R%;}:a\4 ]b]Mo@'*+d4:Dp&4KFl2Ltvm8K|Ð"a lp0,-ެ'֮dJᩳC/ljxba]݆EeCPrA#[7=IFW%`X8ʇw)}$~sx|nn\53/\ꗜ !USb'Yc- sdji͊;06&'F葺ްVBtvGnzHdT*)#BY4bj4XAz3o";4J+[ޱ͐Y5*9poI%6uBSwr|t,T[=[K庆'2ˢkt9;uEZ)U(-=h8έpv=wb \t3c]>ϝ/p(l8jˠM.?䀽H_ #z:w*#w: $y+ qQKyahKGIgAPd𓳾zA⥒BO%v_.31&! ˕\5r^:xQ㏹\w910VNo4U=/cDch$#e]Ο+ɀ2-+@{b(mu 뭌9Zx+.?5tcN}i`WFX6MyD%4ۺrbm"1b,rjI&B2JS"WߑlQcS8CP!M>}s#!֫'EjL \thI~A0]@ =Umu5-;h;֣n|bEar"YCϿ?;S S|~Vr MgBQqJ 54t3'K~L4azPšfOA4+w??/vZGc2VT-b'Hsu(*Kt4*x~1,˅VqJ8Vde*`KxD#a]UM,jR;tnT7:D. bC..tV$=mS' HaոLwJ9;5Z{JOHIțf;ɯL@G6;7aO.<s†IM vAuM'Ҁs~nMt,RSZIg~!D3c۔p(QHCi"v~g?%ހ [vPRl3tU +քD %{uJS~玊CYrhC'rPR#P]!&&+<*A\4o?[߫FOmw()…Kj<EDeFˀ5^c}%-?"pruY`\Pja [8UdZꅾIqQG AC>sKaA7LL #) ,^aOX͕Otg1X\N4ߋKb#k`ixDeXp 4R(oܼpT{adV=Ew:νj6:JDf$1X{=չX0XÂ5m/.APڴ wG; mAŴ %Q)MY\YsnQzHTI4lM xBlC 3^:r6}!S"++!_ Y΀DBʽ#4fd zQڤ`^ c$Rya&0 { (<=m|~2C~&p0cƖQÅ L\>37G KP$+X3JW_aDs)I`k£m}M0aI >9ztЕ4OKF?s9-F_p6SϙAk=ÖmU_E7+"rM^E%4ի5ANne)ޫ/ELcw Ͳ3-=xzTٸ1u#oKE82iqFI?snj/,ŧB.iX]3tQD✔!s ?u` *&2m>zu]GV1 @/xvN/ln[Wb7=e7?#_~N+qS~>lVjǵG=WdNR1kd]zeXU_gb$# N3*DỌ $vտE-0pIcmm{7v,'kVƖ~Ѩy7:AoE%&3~?c[SNo3X .1>" ֍rzH9U_| >\T#G#']B{Otx{ZO e[TUyYp2qVYkJflGi /Dn`5_qdNTtش f\au!l VU}4R`e5 V.rUM$YZUB[RV?³JԐ;=4"+ [5"S,1aˤq*o49 ~x; .[N̠IIsIf{|5Q}A'n?CCkڱd\B?^%–ۨjwa b Z$ o,D#:;ޘenSH X2MI$? w}UيܒW Z,#1fm4u:h!\P!MfAحncD6_Y]'^q SdQ+rdT P33VW8 ikxvB(3(|͈KeWtL!`a"q(A5ֲX`|d2Q pxֳ\M}+b7!rcErDeP6&ӭÄ!Hښ@* zRg"Zj8 b1+mmx{b㪼*x~8UҁV ^M0ȹ7{_)/pK^Se (LD\nO@6'5"9V@mzMk`ūDsf FX`奨8 뿖PTsֆ C:'$H| jۀZ?UH;;0qպ̦msS>xH jk:ir7SS>ؓWƥЎ5쳞9B=Rii?M?zX鿡dGIԧغo{r&GH`3* 0Z ĩYDz+R0B5l y;+}I.¥b)[aؐ{`׆b`l-|;CnvM[RB8{gya40GuS4srY"t,͠ci;2}fqhms1gyW^EtdJؿ j'VEZo';x1k[ i*T#!3$o <7z6CK ƸD>9j.A n6;eE3G /E./ҺТ] T k!aL̸wd+]|hϠ2Bc V Bp9d,#8gk$WaV Q!8>*ӸQ%Fu)4D۬"w_g:0HܧGGG*_--jU6-Mfl`v7k6P[/5[ڪ|UW~ds~6%gԻL{t/ =AvS ͫ̎6^g(ch6D *Zf.ɣ pK92\1 |xqE._zIvdKB7ɠ≜$wO!+dBE#н3?KP0#%AVo+fu- ˕yG-G:8Zadf^ G΍FkHp*`C/e6oRF 0c>l۶n2PIдq/,,BCe.4`S ~&p0nri̠$td_c^Ԥ;|N4ݚAt/3]3]sM D",j2y-R+v*g d4%Q^݈c+61(OubZY=iqΙϧy h;&wPo<D^FxZJz`JҖ$naȐ|yv5G;`d#s4b \r~khXV e1˳iݼ;MbPXZŀ4vW Rr{L̤`e+଺4]koQa o|&{q;SJ |KqTBh*)?uFͦTYo` Ʊz'-ې[( '8Ge&bCH^Aҥ=A흢VSG0)=("QE DW5C~r" dr-۝RΎ dPmC2lfDT+>s>׉lSc'Vo{*'koTx"5W #b#!- quGO\MEJtm7/Ul]45ߐ]L0QԷmn! ifA\=L/| 4 Ư T%Fy1dJz:plRHVjRjV -`s׿z~[d @hd%T6MՊ,&Um5V~'d<7ḛg Aak`" ,]mNQ-Uvs6&T~9*xx#-hٟϼS"y QL=*NW&2]tl5pCq &o /.d/+pc 1{cSr̮~ ~9Fղ񽛓ma2V~n1,i9֜/hR$dʠj ی eyU;Pd^XHiL!C f?̂T& FĪ:fe<Sp^ .fC99?5u np%t %6*CM]/;IoÕq=YDXiFc_ބ}6]"gioLwHhTxf+ qEթɊ*&6<-/} `o!^^#Y4nh&J{/Mf޿}T\YVv޲6]aPL: 0S/b[Fo3Cbl@(ٶPHI9RP>N|k*[,% \tFΉ2X;*d?P'%$#ْr+?7VCyhmZ ՟H۰C6ʂٓ##A}OD'gpDՒYtuBgf K99b`4v (O;c<#zߓ4Z^Ϧ{ZLmafX8>wdu MN,۝\`V ,1SAƬ * k!\TA?9eD}ǃdą;Αh|S0XjAHN~թ1Yec٤}liQ5-g,_l0ǒq'~ڕ'8j:?Kx¿lԁ(ʐi?Z |mH62ߕ5Dp,֘ Q;K _[<~!v] lp5F-$}jKz*ݥ@ /~C-8욓#:]lU ) Lޛ' jEAS"cyt7h=kZKg rZܖDVf~NV I;;$^( 򰎱yKEC!1V/pwh$;2j # ~9UYeذ?5MְU_Q| Ex|J7޽HG\ًA"кt̎%K+uH. BD356ycdQܮ 6"*ĝ~+vd\moy`[ jD~.x@fٽrFL)}z$=vWY*jx-N2V$}8*Ͻf5D`C];~oc ~&snկ Chy4fQeLfP,CQ.M chMՋt[Fz^,VWje"PֳJu}{"/x Gk ~Gg\lо3kmϪ/͙s'mu8+ CuqI6^)[i2K.^&9E7MÜ9>]`'WO0Z ϱǕߙB\f;r1E {< n;Ǖz4㈌tVY6܅y Z@r%>K 5@J+hЯ80?Ү&b N2ᤑ[ʅ7-]լX^^ǪFsZ `u8{d[ݬ$ u+¬P])da 0Т>ɘj-pX 5&0q?-˲PQj~P{wXinW!WfJbQn}ɵ"4]qgd;+7f&j_ ym1E#V̒^O\JʸlNixt>>HX#PC~I#]ǹX {?(>WEKa:ζZS#`L:-2kk20/v9 FMU# 3ea.ψˁKw-~I ڄ꿿5 sؽ_vqݦ4|Jta:x؉N֧k%%_@ehGTg 3qM#j"h BmVVl$LȖ*ق8Re4[;V}{ Q }e0铖GC%DL;xyf86M4&K&lV( [WIb&يpiA-= \b3M i;_G58Mgr2tZ_2 (}Kƥ\[ڞ}@1?:uHXD;Tؚ΋t]ی#YsWӋ/F2Bl?쉢ZhD{wxd2%;:ɘgDq 6WDͨfosuמC r6 ݋j_x,Խ W,39ǽ;~>0UQ{86 q.,(?G`s6?Py➭a9Xɩ.AqsC%]d6A4; @4s@:Y$C ʺ[gcgyj[;_ߤu"z4RJi#rRԡ 7=vϟ$KWc`8Ve\6=3Zl-l?'b^Xj-qBpq`W-ZD]<̙SA촤X9n* uQSx#gW-[%Ԗ5ch0Aܘ#.DpQW]>"I'J\6lGjR')EZI}.}{X^:"mtYCkS^;`o@Y%0lyA[q gΖ* Gcj"^3vǝM!=gCr2V})*ΩP&h^mLx/ˌ-R}T;ZipPOMPd(u=+@9Mr2"&ç@; A:?v$s8#Z;֚~ށb5vSb J4 ۩%G*6.q-zR.foVJ?҅a=UDPjlЀ`0(^tpv ^{e{Qb&z#w/>#' 4>Iפz[ș~̅2 ѷw`g-Vc)ten/L"T02:;a⑛^ה LƏcgT3݌OHUZ?nKwy[F24ie^EJ ڪU@yx  va| 8垹c`Yhm_G1ͺ)Ar23/lg6 H֕H\jX'P] q_9J|iI#}bܵVU;ْv5NbS /o>.`Bo QwlҼPEǺ0BNy}v5vcu'sc O6<|񺰱jE溻vj쀝 } l%FvAAh4 tTm|RQTbhBEԶOأmdӕGH =j"p_䮦h/%)p5b^e>{/v?T xPmT l[%I~p(x>O&!>b#bԶ!?t:`8swDE UTiZm3v] Oʮ'BxŇf.j#i0rv N;7﴾,`1xS}}` gߕ(כR8Ԝ#y֖DQޙ T|W4:-1bE$նR*b09xd}W.zBeKLJn%y*-Z)k~Gh:T o/ߏBLo zjr\ҫ_$잚_hc^/g]2wӈC9]*Ӿ*8e ~.t-!+@刡̇߈SZ3t& {I{%@ swa TWss,z~fa(j ]Uƿ#;@ck0܏Ƈ-@?Df@hL!m 08/wiUW{4ɸa%j∔XYY <2;Ph^l3̖. wBHT6.̃jNTRza[p2% G1X8{@bƪ8Zo|&oF #@23=v oM* "ݽ\OCR:)C#J}OO9 C=G' LA"^ASS#N5N&B&4-<@> >4&)pI$Kw1(M|+] A f0%@)mM`[;Ge&Hۅ̥rdT_4cj6\C *+jm#p;[$׸ X-Ax2ņ4$8&.E@(wc:}rpe'p4ݑj0Yg,js $|TڵւڔFH \pk۰.: 핒qiPz^Fʼ1}\WN7 'f0ץ u3=f1cWlh;A|Ol魩GbfZ;,`L(ҁ3VVv1CS&C;6}7CvDY^'\H|y; 9EKqkP\Dv]& 7OXxGS|{u3X})A^{BadVb:Ve ,721qsfWr*1EPpϗ.+g]m y Ky3ZgAS6P4^ZCbP1>eA[ Q}q&CuR=It&DMӵ)і]&AȀfD "SMU-LYzsa3]@ wz)B6Gq:ʧNqBb/7}5dOm?a>qIߴp%QoSm$N%k,ON"Q!>˫a[WE`/7ש8.77kX8Zwu9KjV=S'9S^ފ9l!a\ ^コe.EIȠkK&+.쎥ћ<q])ړO 0g8 9Y.x(1q4 lqCHj 7* }\״GJ@R)܁%_ G--I$gy>MR?rIPBɧּp6`^`gGS:͠F묜ζp>-el4tLCe`Lmd^]U}F F >%"WyR f"6~Y4$iQ *q6N/%Q,78=VcA: wOKn;j`i\,1N=SX=; q.ro~WjHxB 쨯=('Xӌ^{"h L%S{-ִuW=*8F# ϥ>=k(hDO`oްeHhCAKoI3Z{b$5m842mEnѼlM x~wsT~q'C aTC &٦ߔ{oT^#Q$~\}ձVL>%y%W7߃}n]tLVaYnc%ְP^JWahU*2Ή\Js(~yI`!^9 ̱!LX;[w+.+~L\yU!7rKƺS]dD1+ӟ20 WIZsv}"{*w%DAO7p"|EIyo|Dt}|fu2z aIQ58p 'r@q3Eͳ`~~7FrdNט.R!eA/Ě#AQ . $B$?ĩ+fA6Ǜ2W¸:;!e4Z sҧ$f j@?r 8}o6lbW"/դTr$tB4vYgKI IYG!(կsWtR͵PzY;֕+<NMdShx"˙B:]Oo˄?Cr651Ze]2`W˜M.P2Zm'rePaUx!#>7gЁPk~3sG} DL+7 M<@_cbmiHi;5MMlph8@38$qɞ8ı@'ctX;DwPt-LHbdeSFI$[Vtp̙UITؚȽ.0Q?{w { ب"9:&3M 0HI1W+XXqaw|v~1 }ȮJâBo|N}>vQ#̶JaAjœ\$W_\]M"oG]\Wz;'8T5FK:uL3yQw6(ڼv~ M Bæ%=MrN!TkRRoDI>)6iF`'ǰ8Њw l˫El]9T5'@6krpLx M`er{^9>{C =%S! _t̓KIGeHDeɜݦ+C͎3HԆۚR7#BcB%f@Pz+ ѫk0,*>$ /ohR s_ō· vXG_~<~&n:^5Q͘d/13Hz1rܡ؃ SPUlMix{c=|fY׊k"Cj pzZk5~t?r"M. Ho %rψbB,UMA?&A0D<0n[qP4iߔj30X!w"U:rZQ9_-6goHeTnM|n?z=9|G|q𓣿 ͮ;fXi[,kɲ+/ \h# v׭uΦCOw T71˰ Ϋc Kf{9*7pB|֕ I=q/:qd H16K. έm7WBq`u>-jzG(3۫R꬝ء0I316}u0&^cyb>0f=x0›xpIFAY*u$;<3it%B-&Yo.Uwxx2 $5ӧ34-m15ˀʍbwg%!&Xٍ:4omFHm괞l5U]6h nx0ɼ(_u6tșE?Ê.eBWzꋑڴ*،.!.xx6^]45 &]:]&{ |DN PNW')HA?6uaxac./kIT$%[ e[3XWNZNs2{D=JggGXj-sksٗ渙.F9k%ܓ!i&9u[ܡ j{K?Δo߄a j"]MDq 6.RH|g̼AcC=ۈxJq=-L jtc9!Q$fy h^EuTC.X Z4ˆ\0*{CqPS1;=a?S3@TX-'G+5`ϹcOTި6u'LaյwaOdjz7׊aۖ0YG֋wiZ$ 1Vgpb:t"je'UvS7. WoͨꩧA{6"Q8A99 T +"3? VFYJX4A^mbЉkzely Dz "J2aKjo-Z4+Y$ k#>:wVڴ!u(c@/gE0;u¾ :KYi}vbT]-aYȂDmɚvNd6'f&H_|,=;3J> 6+ӎQB*({ݦ B׎K\w֭AAnTu*͗B^gST#RߎCGSp7V?sv\fiyI?} Hsu N8y2` |%zndc~=L-Fhy-m>e"?6$AMu٭0kr)$>M0Aȗ=[k:ql2^̍t"oIˢqYұ5kdXTDq.fM~ƚ,eKr; s4qmř3H=E 'HQҬ Ywl~i <2&)Jgzp;3"C,Er¹6ZOzY[Ri< | p 6H3Sݷkg}T篃~v-j8j^p˘ۭf.Oe7[,\w5q5 Ȅ5a5];0AO=+Sb\"sY#f:>wϼy~maFN+ vַy˷*6w/o:\͌S^2ui-Y^;X4p}:RG{^t{R3uk>Gm| ya6pe!w*.\Z?4G} ݜ .^iG Ȓ;RWTt y1+5( OnO0 `x';Q{>Rj~J<=YPBz6{+>q17ZL#xe. "j&öeCy-Awxd9q )gW01Az!ՓفU ۇ+W)2^  ԋiJD^,S8a:ϯ)ĉ1 'UM0Ha-9QϑB{TjК+$:Hn?&~xzvP*S%̜tyv_΀T}'s5# ohcR<bJzUX h< nSxUzca%wjtvp\[4ܪBT5[]7%Q|*h_\N]ϪGBK'h]f f\+ۋ<,ց DU'SDK 4~/ౡC?S>PT˽)]#t9S]/5Ʒ\QmjںtU> MVn9 Qg|*v}ٛZjN/c U(eV J8 n` L M,Ruj#铖&n=%#[Qd;$a#vF<"&)+Rog8H懚#ITC ذ[6NHa sph5V3\")=pmD|'oi-V^IOr3 ȰRXcvAgJ*,@q)!m?y3v>c-ۅ>FfMoK~Q`4b  d(cʍ$\szIu7baݴy4Ed1vyUPz\LʲfԺ~߃G~8رҥo`&MŔ(XNasG2׺qG3 V߃Ê&O>A.Az!G OY#4"$v}#s_T;.YE؆_TՎte ѿU[3H Oט(y8eZڻoas ОpLuPHűPMZEl" pJ^Y[9}\|XyE)Kkߟ!(4kTI~"(riEZBCHw;X(ٺOK @7v΋2c)XTA-=/T%݉3Hg$Ggf)#i1tS'wA' 8 [݂5ͻFn=F^|]lETm3 9)v:бbldT9x!5hq*|>'g_48F7 cIryL>Z4й2-'AEH$)¾jmt ܳ{P{y yFUkdӃ93`rĚ.no<~N *DO Ķ1\К;V.0HSE!6,@?U*V7E8<+")kPzRe^]G}Q\>JW/&Ft^$/(6<ѭYcw(=.(u+8id˒Yoj ɋHI֍C6$xl'ϛkixԼSs#=w \] [W5܌bh;#sN4D#п rk":(C҉ hKc>qkf`c Cn4]~ A!{lRm,:y( X #mؚ(ROh. % 6֛ %gDBQiӅcKNjԅύA{הN))+Y^vD=<^eha( , 1WAI\L٠f,<EuEV' FN:~'W>G5PSʷ/,3g$K*O| af+zIܿRِm]ה7{ȇ1L@#$\?Wؙ+ &L=LB\P3%L+:qƁ3WB bu^b$U~i&WepOU)$ue':TV7Kc!׋:(.K㵔eO1|<(:Zn_-$~Z+RaҘ8WAW·D"vȒi_cEo  }&=61a|n Po]$TiTЈbXI<:O*􈏫 !&kF&cH>̔d ySs\ˁ Dit]QEڃ T'%[1iߟ6@t*\&M6-/ _#1Wُ-͖9L `*Xo ; )`.4|<) mUWtMp0aYP|[) 糋ͩ_s5Ic J3־B6$͍@-h*%H)^Rs,gtop'5 mcC3~Դ , ^ QtwNA9vSRxb$d9 ų #;ls&ƕ1cŒx P繃H]4~$KRFmkIg?l`'ABN^"8"f'5[X(OT:R?Ž8NL)Q"#[lۼ.۟ևߏTYbva_JtG+'ˡOZ2{pWBf49n">5{љ"3]//ý AZgy0Nf9 # Zt5AF“5gB#O:g\SzdI<3.BSg#ñU5Ld&+>j!(@UU!')syGoKSg:,)2(mo_̰ ?Af՘b#ͯa@kK͈wT&X$ Nf3T`VDx2^q[?r=dƒ:AGx%6 c{(N ?x,aiyr@wŕgtcF+)(I|i}B^ݒ^s|:'v# ?:`EP7D2:l^ҒyF_WG9T[xo}Dsyqe(^uQJNeLU:Bxw5ʾEb[GOOv Y:u ykUZ7P~nۚ !T&"|WE=ɡ.|.[%IDJQR\]FS9ciw.A칉!!IzNk3Wy-y4@f&ir S5aг|`uU`BrFF86FGG}0GXNDKߺ~ 7B o&lIbYFV0D#DM}FDzK9 3W?8K$}݄v%|0~*d6i 4H0S\\Pr!w0 ԫMk@jӫHu(g9 {g#ԓdy&R-F`vL5) 11>o%#WEPAfZ/&5p)!.yp\ݣ˪ѶOf8gH&hV;zNyb#&T_D"pm7nͶɖ]DIm޾6TZ4y3,{kVGAw*N@CEjCN1|ՠαhf"ڔV|\dͅRև^PP-\%ݑm1I^NtdzLra FƣT hy=KnD3GdfPA,35m%l ܹ9,u@.n`5?{qBU$45zuy!zq:kLUXf4dz҉yw0l#Nj][F+qmV9 L"C Z̀iC=@6,u9s5f)4 u dtbSA?Kd%9+@2d3R #7}ĮhM(.N u[|sE;Ubyz@8Y2aM}laeAE ?W_# Ĕ4U?h ZشCohF{VUK 3R[4T.vqM8@aSt pzAX~c zZWIEU^/B*s#?'L]SJ B?xS1?V&8"#RlzHKyGBjf[]xl}-3$rI?E!=njT@3 fAy'Ej6;@t84+n5yA'ڃ􎶇־'~Ց'[ԻC zǡ GN8Ly0bBFU j7cG^'Y[,)#]t)@уNp4:]솕c&YO"c*w& :l;Do@&%e9"b6W6ͪr(/05i)O]vgr{dVĝˮ o6ll\u1OA',V'L>#*؋t av1I "^r~Q>/3 /srjau~ao٩)/t6d?|5䳫sPp~qMzXtRJENMRBT)1SnYt w<.ah-vG/h 6,$:ѾoأWԾA: } ;Τ(;%8N?jds!lN1H%42@`REnjBkwM(,Y1,4,W#Qi70 CTNCCOy/Y}m.Hӌ\A:ՕfEc隋̇V)n4bKc n0-:ǧk_fysPna^ D&VG-E/'·?PѴeL,M~Giƹ@IdOUMX X1d92 /Rj1N\Oo*db.j͸lG|{| :pWVΛF|6`=R:[_Z0a5 gEQa]fꐖ){nKz:wUYxQ &ԇ?~TN x2uB%p[mb#F2/6Yk O[2}E9OEMVWNG NBN<,ims3{ !DvYaOs u7ifluR*+wtqȜr3ie1,wP_y9Ʌl`C aLG_}I,Tj|.'wjBukh6pKn`s/j.kKϕ5O =r#ˬ n-Ə#4.6ڋ|͆6(Cm ֜Cb^hR&$`pSG\J9J&MĹ!׷6~@:μ+tkHmy[KJV( uQjHN wlSR /No! Bt5L]h. *K(T!Z@MDut$IW)>L6/BD^jM|vdzG.LV׷ʎQK&i(VvSbe=ot߫&kAROzJ-״IR}pkKDd T}{uo?FzCyGQ>;j1A/Y|n!S>nH;؅̫mSZ `@r21F7vj *|g0dX/o~ۥk&- KZ+V0eQD ,q'*f@}"Gony9 Erӿ(1O!鮷2c Qnl$,Ҍua䀉oE!~)| ˎ*Z4*/Ka_L(Ԋ4\Hn/ՄG5h!XCR߶>O-Tm H.<&ͳ"DXqПrԓb=CȔRWo`ix>R sk󑽈3 ^RhKHƑ 32E4Zybl^.C5r RmU|އA@oX,t2x\SW=_U6JVNL#x۳[V[; vLif@K뙗!!kCAM܍% 7,dҟ?mO \se#h֒R?@*9Χ؂83[ttF,dAЂ5 9\kD~=-:vIwo An{ ք[snU~NU ,uu…MAHMh1n(77d"մZB+H,T[9:xʘ #n44sMȟV iulGg)."W27.ԓRD( pd&bW+̧8/TǍ}a)$(Y'=J}\U?7?;IDfq$eӿU5ސ%o갭*sݑ ]&&=Ѝ)ة!RU\ 4YWz k*H]F#I|R |vcJ٫-ZD8|h6Fܞ%*'Z5u&!i\RiW~PКOsعu"|3Z0<%mKaS#ۂo-n<[tUt= ]$wb+Sez:NaSt}}؀`ؐ3B^^eR$:؊\:F,0W-.2͵R {D P%#"bH,olzy );j.&q$Tu~qb=6l|od{J Hn^ih 2ny`hM{~~#)_>Fj)>LI{B"qpaËǀ`_˔;,Mld>jqQt(|:E)>K@z;X.gme0Qq7 P.ýBnrw!t@iP=Y\VtIGMrW[`-A'Kad_A΄ucydbw j>?#wƝ!ƪsե9Ë ڦ2OV$A }?TO2YȰ4&s+)Wx\&ʃ-Eiލ$u!/:NI;oWx=^.5LʟhվxT!υxX"Y#u%Jv^0TQM"yÆ=qÛ Zjv8/]vsl",Z2t>0Χkxa6æTV)G}\;̞fW3Cu(~l98V~`n6N:叢vLAo/Hs%.|>~*4hPoW @nO\|7h5x^aBi+ޖ{ÌJpNεO[Q(nioܢDTswO>~ȓ{C-`RX|t:t((5=o.Y.'{-C:;m|A\餚㱸 ΤOPZ^sxAI` F .˜f*7鰯X`Y|l?4+r;d0_6u!(JJ]e8㲜 $I/U/:AǏH 8qIO.j<^믵kh|m~$Bk͟璃GU:M1ԱNgg 2!w\cen/{=6}) 5*7J'X x &XVUFC`Z>6TGi>dk9TQl4?Sq5]MI.?չk~<4ŗH \RxA[v'>j'$.1]sd"R>,G{uM$';e)m5qf]IZ0Llru UȘ@~ȵ "hh)f$ni0RԞne5E2+ #oNɌ|L-Т`aLѺ,Ćxt ctVM\LS]i$-?*S*8uhG8~̶xL]{"{ڡO7Y.Р)(b9%2~U\Npv=l41چk,_r-˯Pq|=#o>,ZQ@JFvd /Fyk' vhx[zzt (G~z$:~y B2 |-| A|TeFemY0,O~c=E0\?`#y A:Ȕl[(6"7txtu$y}`JasKD[nɱlؐ BsvB v"ږ@hʭFUP8\a\N,2SA ]0cU?} VAh9 8D@SDy$fnbYqN ;.xF)]nN)X fq|B2Y^O.Y`-.rQ/; Q;b2``ĭgidO+:U&>ȩ_$%(P.AS2z#q5Pǣz>6r OJ;07&j)`f'+ Zm{G₝z=< $1l2 8xf+PmZbh7b퟾F!n֝u~dTQ=ǝAZZFɁȻxZq9Sw>R'iy $+0fv9t9d|9 ϞU2`Xa~yƼ(/ ݕ׽{|d[Wz.oݰd>lgڴaJ^5@fMxpSn#4&|3i!}7W85wY-NHn*D2NL홳_ZOtڨCAkp;`|XU^fowUA+F6\VûZxyj`L"dɏoܾ gC||qIY~A+ zoo|sI+Vcqs&2iJ:Уz%Uk2_:u)eojUhWٝZ]dlc^[ /B?LqkG 9ꪎH[=$cS{0.q6=)*hwx&BX$}ٛm=܃REXZLwZs]>7Nn}/")% !{>X A&f,}Zdu0_ eA[mQोuaZ?iO\1ߢi(6F A&E*iZL XcwQ y53@ ɶ7)cA7\D/د8xEwnBr1G@:..Iy慪,$'Y.\-ƾ!>!Klba6WޅR\30E# LG -oƂ" P%hпNC?"Δaqete˳f#Ú,Au헓+)wddi;!in98f"hC%I⩡t*N(?`57F}c%Lv䎟p ՀZèk7j^\\P ũVɄydxN&ޓj܈x~>qi--kTN|0G͆a_l__G{A4!0Wym ~NP( Fҷ4.i!]j8TυUCӵq/ ӝ['+/鍃4ꖽX{l˦+KKBxG,`gpYNP2v"}*/|} B2>\gUrT(dї?8DK+:P6 4Ӭ [ʣJe `us?>(o|k1 L$5&vp yqyh&cLD2^aZhJRrx 鷭ۣVseld慇=UhN:jg к:|HnF^m6^|J9Tti 鋼4Ķi'%sxF-O4Yndm\QZu笝!<Ld l0&3SfQ)6\MpF|~fF4RYRf })OJ6l EtuSq7*= d(w.u.n7Y_QRmLzj!XNMC0 770Kˬ~4 _bǤC1lun3-5ii0nV7K^F Toj?*\ 'iu2~$'}:kWn&4X_a'C6l=US`>x /dó ]v, 0k!XT=P+Z(SO7,NrX%G L뮲QV+ux.-,kIZmqr_A<%؟A+`%å3g3z58Q] *»ƣP[~_ 輆DI)m7gs_b'v!\2(txEUtF)ZHdR6x`i)\U#tۊ"-W"Yrl{-\j:{,0#&O|O16l0mQg2~׭El?y:lG|'fysM.%#!^$+Юz[y냼NU?L'ptk&zΫ0M 棶)>:_vi/| {Q(u3G|-1Hl-ɵ&oyS2nNmԝ&|=JQ@Wn++ƅມ#rpiPiIYߒ=xّ;AiU~vBhPB96Oc;WY1!n*?FZn7\ȩ'@I[73JKqQk-BiX|"\ ieS#\:l7}x(u[1Ϟѿ Ap h>ܞ!TAP#ЄM^FV}$\*3$ֵ'w}ڵvRX ~} Ue扅Y}V,A`,5N( tMqlO>sNccG ?#Q0eB^SYժhz/@ko)X`k i}dg̻ؕ $#!u}S,<Yi :|j9N+v- gV7B^?P%9Q55~K7߉#tI ,YLOT5,ڏ/~1oH?N!#߸~EE_OꪉQlbpIɉXⲻf,qW}m&w 6Nr2&MFFtl| <3@"$~!@Kȴ̪rV$U 4bc))t= d,>c )0Jkb̝0G |WTM&yಁ8i>Dd/"Hx3ݶґ)ֻfx}f^Btnd{IQo'L)Xqڃ#G ~fV;T; I?>-cbt\o  {7#j T-P(@א^S2%(;!WHX R:q|IWF-_DJjr츄YFFGhDPRHdM1qČa -C*ñh3Nu|#~)9&ˆ=L* w˒&KA0S0>XO.e#+o0ʦ ^ǘ#^RCN,Ȩ|TƉ AR<:F?tׁ;;g?fFmSt)SW~W7EX>uf&[misTSI6l1ƪ߸~U`=-%;)[IPÕGkF9O@jf()?Z?>a`7@[Pezʙj<{ -.(R]$xotaIJ@w Da䪺G 2n7BzB"w'mc/ C8 A$CN;{d pu̓N%tOG\?SS ѝ/( 5.co)%O[3U(?8d~Rz~e:ЬV˶xjkSܗ4'M44BOo9d:CsI0^8vľ 8l7K`Pê:70+.,YC 3KEr䧿evc5|,MfM*0FBS*lj*JԻwv psڳYbzDܟS_U-xĿhYt#ObT2U8H':LF2IZo f,Mt2~ N=l(oxXaBFJ:V逿d2c7=+uGü+D߻eC@WC$z+ q4Yuft@:qI{򚰏&?0\U-A5@6) U#o$_0w6!6JTo?TWSHT{FNiq*p"I۪ȳ{b.`uLd2c<)`ꛚ7]0auXJD) G9& J'ɑנ%^ֈXYӚWxH񨻖}=|F1E{*?1|"du`%a!*.` 3ؙeuds1ЃT@yCb&C&d]TrZԩBZXc8Ud Ǣ&4gV.%w(7*eL}^2Zw j Q˚ f))I?Rtk}jROҏZbuPHUPqR]M.E%k߳M# !'%ShsPpnQbu#߳KbOBƋk`$W.; vm4C_5ʼ:|4c<j{ZuB!|CDO` EBPޝ]'PN |jHuߙXۃf o'rf@C.`K'_'Sj uQ%{W;jYA4uwW- dֽl@`e{s!m&R? B/H):vXnOy'~A["LOB " G J̫"W&wC'87k\=7|O]| Y RHدd΋B@mzd%ɈeLsc&N䙸츝Ogw2s֥ou