dirmngr-2.2.27-150300.3.8.1<>,De_Lp9|Yd9c[~++*AJT!PO$|V/~cud13h^@)4}C)z YDzofcd^NA]iV pQǼW61.r_p,w|PHnW ]r16EP`Uœ&)Y5]!T8.^HɔPӉK`L;~RE'R˂ |*.u. n/C+\}D<:/-9ؓŊpfiMv m>>`?Pd   H+ Abx~   0 ~  Pt( ( 8 g9 g:gF G(H`IXY\] ^ b bc d e f l u v wx yX&z LCdirmngr2.2.27150300.3.8.1Keyserver, CRL, and OCSP access for GnuPGSince version 2.1 of GnuPG, dirmngr takes care of accessing the OpenPGP keyservers. As with previous versions it is also used as a server for managing and downloading certificate revocation lists (CRLs) for X.509 certificates, downloading X.509 certificates, and providing access to OCSP providers. Dirmngr is invoked internally by gpg, gpgsm, or via the gpg-connect-agent tool.e_Libs-power9-11SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Securityhttps://www.gnupg.orglinuxppc64le %Fg Q큤A큤e_Ce_Ce_Ce_>e_>e_JYYYYY_]e_>e_>363d3b0036b02924d79cbd6c48b353c1f170e8300ffbff96d7d211c8aada87fd5dc8c0ba19784014dbc7d4a3f2cee342b01db4adf03c2700eba282a3ce063fd1b3ea0d7f3258294cb47e4fc3ea7b98ec65f7465ffa8f1eb7e4120dadbb15758280a3a80f9f1f337da555a6838483e1baca44cde8a8a3d8c4ba7743626304b981ecf24112b56a505e2bf90bcefe07d5582a3804213218ff49a38fe0a3345c7e3bbc2d6664f6276fa0a72d57633b3ae68dc7dcb677b71018bf08c8e93e509f1357ec4a7d97de212428cd53e09e0524616f0f584528e0698203fb4d71d6c55b48c58177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643d31a714a7ab67eb95ccae12b701e74fe307d771682f8792af7ed4e1ba33074a6b40f7806e14dd7aad5e0254c04c61bf1212de37296f1cd5782ffbc9e98cbee87909878b98dc2eaf3b07bbe1694ecd9f0523b7a621467c508d55daf28e0408be104b4a542df1449a80bb24fb0a470ba0d022e6c20ee4aecfbaa89f4287b965d327fe7424e4a829dd51fd50d54d813aab53aea855ad8b557e663c2fb563827d04drootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootgpg2-2.2.27-150300.3.8.1.src.rpmdirmngrdirmngr(ppc-64)@@@@@@@@@@@@@@@@@@@@@    libassuan.so.0()(64bit)libassuan.so.0(LIBASSUAN_1.0)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.25)(64bit)libgcrypt.so.20()(64bit)libgcrypt.so.20(GCRYPT_1.6)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpg-error.so.0()(64bit)libgpg-error.so.0(GPG_ERROR_1.0)(64bit)libksba.so.8()(64bit)libksba.so.8(KSBA_0.9)(64bit)liblber-2.4.so.2()(64bit)libldap_r-2.4.so.2()(64bit)libnpth.so.0()(64bit)libnpth.so.0(NPTH_1.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libresolv.so.2()(64bit)libresolv.so.2(GLIBC_2.17)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3e]@bK@b@`3_@_@_@_P_O@_N7_ @_^m@^^t@^ku^M#@^g@^]@]e@]@]m]5@]'$] #\\@\@\\u*@\d\,\@[%@[@[[@[Xf@[H@[o[oZK@Z̧@ZZ@ZZ;@Z@Z@YYYY{'@Y@Y@XX@XX @XAXs{@X_XY@X0>W@W@WWW]@W.@WWbWPW)@VV_V%@Vd#@Va@VTQ@VO @VU@U5@U'U@UU~@Uyx@UXUQ@U) U@U @TgTD@TMT@T~@TuTa@T[botto.hollmann@suse.comdavid.anes@suse.commeissner@suse.compmonreal@suse.comandreas.stieger@gmx.deandreas.stieger@gmx.deandreas.stieger@gmx.deandreas.stieger@gmx.depmonreal@suse.comandreas.stieger@gmx.depmonrealgonzalez@suse.comandreas.stieger@gmx.depmonrealgonzalez@suse.compmonrealgonzalez@suse.comandreas.stieger@gmx.defvogt@suse.compmonrealgonzalez@suse.compmonrealgonzalez@suse.compmonrealgonzalez@suse.comandreas.stieger@gmx.depmonrealgonzalez@suse.compmonrealgonzalez@suse.comlnussel@suse.depmonrealgonzalez@suse.compmonrealgonzalez@suse.comjsikes@suse.depmonrealgonzalez@suse.compmonrealgonzalez@suse.comkbabioch@suse.dekbabioch@suse.depmonrealgonzalez@suse.comkbabioch@suse.depmonrealgonzalez@suse.comatoptsoglou@suse.comcrrodriguez@opensuse.orgkbabioch@suse.combwiedemann@suse.comkbabioch@suse.comtchvatal@suse.comastieger@suse.comkbabioch@suse.comkbabioch@suse.comastieger@suse.comkbabioch@suse.comkbabioch@suse.comastieger@suse.comfvogt@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.commarco.strigl@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comjengelh@inai.deastieger@suse.comtchvatal@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comtchvatal@suse.comastieger@suse.comastieger@suse.compjanouch@suse.deastieger@suse.comastieger@suse.comastieger@suse.comvcizek@suse.comp.drouand@gmail.comastieger@suse.comvcizek@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comastieger@suse.comschwab@linux-m68k.orgastieger@suse.comastieger@suse.commeissner@suse.comastieger@suse.comastieger@suse.comidonmez@suse.comastieger@suse.comastieger@suse.comastieger@suse.comandreas.stieger@gmx.dedev@stellardeath.organdreas.stieger@gmx.deandreas.stieger@gmx.devcizek@suse.comvcizek@suse.com- Suppress error message on trial reading as PEM format when using dirmngr to validate broken DER encoded files (bsc#1217212) * Add patches: - gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch - gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch- Security fix [CVE-2022-34903, bsc#1201225] - Vulnerable to status injection - Added patch gnupg-CVE-2022-34903.patch- gnupg-detect_FIPS_mode.patch: use AES as default cipher instead of 3DES if we are in FIPS mode. (bsc#1196125)- Update gpg2 for SLE15-SP3 [jsc#SLE-17559, bsc#1182572] - Remove patches fixed upstream: * gnupg-gpg-agent-ssh-agent.patch * gnupg-2.2.22-fix-segv-import-keys.patch * gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch * gnupg-CRL-fetching-via-https.patch * gnupg-CVE-2018-1000858.patch * gnupg-CVE-2018-12020.patch * gnupg-CVE-2019-13050_0_of_5.patch * gnupg-CVE-2019-13050_1_of_5.patch * gnupg-CVE-2019-13050_2_of_5.patch * gnupg-CVE-2019-13050_3_of_5.patch * gnupg-CVE-2019-13050_4_of_5.patch * gnupg-CVE-2019-13050_5_of_5.patch * gnupg-CVE-2019-14855.patch - Update gpg2.keyring- GnuPG 2.2.27: * gpgconf: Fix case with neither local nor global gpg.conf * gpgconf: Fix description of two new options - includes changes from 2.2.26: * gpg: New AKL method "ntds" * gpg: Fix --trusted-key with fingerprint arg * scd: Fix writing of ECC keys to an OpenPGP card * scd: Make an USB error fix specific to SPR532 readers * dirmngr: With new LDAP keyservers store the new attributes. Never store the useless pgpSignerID. Fix a long standing bug storing some keys on an ldap server. * dirmngr: Support the new Active Direcory LDAP schema for keyservers * dirmngr: Allow LDAP OpenPGP searches via fingerprint * dirmngr: Do not block other threads during keyserver LDAP calls * Support global configuration files * Fix the iconv fallback handling to UTF-8- GnuPG 2.2.25: * scd: Fix regression in 2.2.24 requiring gpg --card-status before signing or decrypting * gpgsm: Using Libksba 1.5.0 signatures with a rarely used combination of attributes can now be verified- GnuPG 2.2.24: * gpg: New command --quick-revoke-sig * gpg: Do not use weak digest algos if selected by recipient preference during sign+encrypt * gpg: Switch to AES256 for symmetric encryption in de-vs mode * gpg: Silence weak digest warnings with --quiet * gpg: Print new status line CANCELED_BY_USER for a cancel during symmetric encryption * gpg: Fix the encrypt+sign hash algo preference selection for ECDSA. This is in particular needed for keys created from existing smartcard based keys * agent: Fix secret key import of GnuPG 2.3 generated Ed25519 keys * agent: Keep some permissions of private-keys-v1.d * dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and gnutls builds * dirmngr: Fix the pool keyserver case for a single host in the pool * scd: Fix the use case of verify_chv2 by CHECKPIN * scd: Various improvements to the ccid-driver * scd: Minor fixes for Yubikey * gpgconf: New option --show-versions * i18n: Complete overhaul and completion of the Italian translation- GnuPG 2.2.23: * gpg: fix AHEAD preference list overflow boo#1176034 / CVE-2020-25125 * gpg: fix possible segv in the key cleaning code * gpgsm: fix a minor RFC2253 parser gub * scdaemon: Fix a PIN verify failure on certain OpenPGP card implementations- Fix segv importing certain keys (e.g. ed25519). [bsc#1176034] - Add gnupg-2.2.22-fix-segv-import-keys.patch- GnuPG 2.2.22: * gpg: Change the default key algorithm to rsa3072 * gpg: Add regular expression support for Trust Signatures on all platforms * gpg: Ignore --personal-digest-prefs for ECDSA keys * gpgsm: Make rsaPSS a de-vs compliant scheme * gpgsm: Show also the SHA256 fingerprint in key listings * gpgsm: Do not require a default keyring for --gpgconf-list * gpg-agent: Default to extended key format and record the creation time of keys Add new option --disable-extended-key-format * gpg-agent: Support the WAYLAND_DISPLAY envvar * gpg-agent: Allow using --gpgconf-list even if HOME does not exist * gpg-agent: Make the Pinentry work even if the envvar TERM is set to the empty string * scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly incremented the error counter when using the "verify" command of "gpg --edit-key" with only the signature key being present * dirmngr: Better handle systems with disabled IPv6 * gpgpslit: Install tool. It was not installed in the past to avoid conflicts with the version installed by GnuPG 1.4 * gpgtar: Make --files-from and --null work as documented - drop gnupg-gpgme-t-encrypt-sym.patch, upstream- Fix regression in latest gpg2 that makes gpgme fail to build [bsc#1174007] - Add gnupg-gpgme-t-encrypt-sym.patch- GnuPG 2.2.21: * gpg: Improve symmetric decryption speed by about 25% * gpg: Support decryption of AEAD encrypted data packets * gpg: Add option --no-include-key-block * gpg: Allow for extra padding in ECDH * gpg: Only a single pinentry is shown for symmetric encryption if the pinentry supports this * gpg: Print a note if no keys are given to --delete-key * gpg,gpgsm: The ridiculous passphrase quality bar is not anymore shown * gpgsm: Certificates without a CRL distribution point are now considered valid without looking up a CRL. The new option - -enable-issuer-based-crl-check can be used to revert to the former behaviour * gpgsm: Support rsaPSS signature verification * gpgsm: Unless CRL checking is disabled lookup a missing issuer certificate using the certificate's authorityInfoAccess * gpgsm: Print the certificate's serial number also in decimal notation * gpgsm: Fix possible NULL-deref in messages of --gen-key * scd: Support the CardOS 5 based D-Trust Card 3.1 * dirmngr: Allow http URLs with "LOOKUP --url" * wkd: Take name of sendmail from configure. Fixes an OpenBSD specific bug- Fix warning: agent returned different signature type ssh-rsa * The gpg-agent's ssh-agent does not handle flags in signing requests properly [bsc#1161268, bsc#1172308] * Add gnupg-gpg-agent-ssh-agent.patch- Fix gpgme and gpgme-qt builds on gpg2 2.2.20 update [bsc#1170811] - Refresh patches: * gnupg-2.2.8-files-are-digests.patch * gnupg-add_legacy_FIPS_mode_option.patch- GnuPG 2.2.20: * Protect the error counter against overflow to guarantee that the tools can't be tricked into returning success after an error * gpg: Make really sure that --verify-files always returns an error * gpg: Fix key listing --with-secret if a pattern is given * gpg: Fix detection of certain keys used as default-key * gpg: Fix default-key selection when a card is available * gpg: Fix key expiration and key usage for keys created with a creation date of zero * gpgsm: Fix import of some CR,LF terminated certificates * gpg: New options --include-key-block and --auto-key-import to allow encrypted replies after an initial signed message * gpg: Allow the use of a fingerprint with --trusted-key * gpg: New property "fpr" for use by --export-filter * scdaemon: Disable the pinpad if a KDF DO is used * dirmngr: Improve finding OCSP certificates - drop gpg2-gcc10-build-fno-common.patch, upstream- Split dirmngr into a subpackage to avoid a hard dependency of gpg2 on libgnutls- Fix build with GCC-10: [bsc#1160394] * Always use EXTERN_UNLESS_MAIN_MODULE pattern * In GCC-10, the default option -fcommon will change to -fno-common - Add gpg2-gcc10-build-fno-common.patch- Accept key updates even without UIDs [bsc#1143158] - Add patches: * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch * gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch * gnupg-add-test-cases-for-import-without-uid.patch- Security fix: [bsc#1157900, CVE-2019-14855, jsc#SLE-16534] * Web of Trust forgeries using collisions in SHA-1 signatures * Ignore all SHA-1 signatures in 3rd party key signatures. * Forbid the creation of SHA-1 third-party key signatures. * Add option --allow-weak-key-signatures - Add gnupg-CVE-2019-14855.patch- update to 2.2.19: * gpg: Fix double free when decrypting for hidden recipients * gpg: Use auto-key-locate for encryption even for mail addressed given with angle brackets * gpgsm: Add special case for certain expired intermediate certificates- Update to 2.2.18 [bsc#1157900, CVE-2019-14855] * gpg: Changed the way keys are detected on a smartcards; this allows the use of non-OpenPGP cards. In the case of a not very likely regression the new option --use-only-openpgp-card is available. [#4681] * gpg: The commands --full-gen-key and --quick-gen-key now allow direct key generation from supported cards. [#4681] * gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures. This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust. Note that this includes all key signature created with dsa1024 keys. The new option --allow-weak-key-signatues can be used to override the new and safer behaviour. [#4755,CVE-2019-14855] * gpg: Improve performance for import of large keyblocks. [#4592] * gpg: Implement a keybox compression run. [#4644] * gpg: Show warnings from dirmngr about redirect and certificate problems (details require --verbose as usual). * gpg: Allow to pass the empty string for the passphrase if the '--passphase=' syntax is used. [#4633] * gpg: Fix printing of the KDF object attributes. * gpg: Avoid surprises with --locate-external-key and certain - -auto-key-locate settings. [#4662] * gpg: Improve selection of best matching key. [#4713] * gpg: Delete key binding signature when deletring a subkey. [#4665,#4457] * gpg: Fix a potential loss of key sigantures during import with self-sigs-only active. [#4628] * gpg: Silence "marked as ultimately trusted" diagnostics if option --quiet is used. [#4634] * gpg: Silence some diagnostics during in key listsing even with option --verbose. [#4627] * gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652] * gpgsm: Support AES-256 keys. * gpgsm: Fix a bug in triggering a keybox compression run if - -faked-system-time is used. * dirmngr: System CA certificates are no longer used for the SKS pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594] * dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces to avoid long timeouts. [#4165] * scd: Fix BWI value for APDU level transfers to make Gemalto Ezio Shield and Trustica Cryptoucan work. [#4654,#4566] * wkd: gpg-wks-client --install-key now installs the required policy file. - Rebase patches: * gnupg-2.2.8-files-are-digests.patch * gnupg-add_legacy_FIPS_mode_option.patch- Remove self-buildrequire [bsc#1152755]- Do not recommend lang package. The lang package already has a supplements.- Security fix: [bsc#1141093, CVE-2019-13050] * Denial of service attacks via big keys * Added patches: - gnupg-CVE-2019-13050_0_of_5.patch - gnupg-CVE-2019-13050_1_of_5.patch - gnupg-CVE-2019-13050_2_of_5.patch - gnupg-CVE-2019-13050_3_of_5.patch - gnupg-CVE-2019-13050_4_of_5.patch - gnupg-CVE-2019-13050_5_of_5.patch- Update to 2.2.17 [bsc#1141093] * gpg: Do not try the import fallback if the options are already used. * gpg: Fix regression in option "self-sigs-only". * gpg: With --auto-key-retrieve prefer WKD over keyservers. * gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. * gpg: Avoid printing false AKL error message. * gpg: New command --locate-external-key. * gpg: Make the get_pubkey_byname interface easier to understand. * gpg: Fallback to import with self-sigs-only on too large keyblocks. * gpg: New import and keyserver option "self-sigs-only" * gpg: Make read_block in import.c more flexible. * dirmngr: fix handling of HTTPS redirections during HKP. * dirmngr: Avoid endless loop in case of HTTP error 503. * dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain. * dirmngr: Support the new WKD draft with the openpgpkey subdomain. * wkd: Change client/server limit back to 64 KiB. * tools: gpgconf: Killing order is children-first. * Return better error code for some getinfo IPC commands. * po: Update Russian translation.- Fix secure memory being disabled before fips checks in libgcrypt [boo#1137307] * Added gnupg-2.2.16-secmem.patch- Update to 2.2.16 * gpg: Fixed i18n markup of some strings. * gpg: Allow deletion of subkeys with --delete-[secret-]key. * gpg: Do not bail on an invalid packet in the local keyring. * gpg: Do not allow creation of user ids larger than our parser allows. * gpg: Do not delete any keys if --dry-run is passed. * gpg: Fix using --decrypt along with --use-embedded-filename. * gpg: Improve the photo image viewer selection. * gpg: enable OpenPGP export of cleartext keys with comments. * gpg: Do not print a hint to use the deprecated --keyserver option. * gpg: Change update_keysig_packet to replace SHA-1 by SHA-256. * gpg: Use just the addrspec from the Signer's UID. * gpg: Accept also armored data from the WKD. * gpg: Set a limit of 5 to the number of keys imported from the WKD. * gpg: Don't use EdDSA algo ID for ECDSA curves. * agent: Stop scdaemon after reload when disable_scdaemon. * agent: For SSH key, don't put NUL-byte at the end. * agent: correct length for uri and comment on 64-bit big-endian platforms * dirmngr: Allow for other hash algorithms than SHA-1 in OCSP. * dirmngr: Improve domaininfo cache update algorithm. * dirmngr: Better error code for http status 413. * g10: Fix possible null dereference. * g10: Fix double free when locating by mbox. * g10: Fix symmetric cipher algo constant for ECDH. * sm: Avoid confusing diagnostic for the default key. * sm: Fix a warning in an es_fopencooie function. * gpgconf: Before --launch check that the config file is fine. * gpgconf: Support --homedir for --launch. * build: Update m4/iconv.m4. * doc: correct documentation for gpgconf --kill. * scd: Add dummy option --application-priority. * common: Fix AWK portability.- Allow coredumps in X11 desktop sessions (bsc#1124847) gpg-agent unconditionally disables coredumps, which is not supposed to happen in the code path that does just exec(argv[]) * Added gnupg-gpg-agent-ulimit.patch- Update to 2.2.15 * sm: Allow decryption even if expired keys are configured. * agent: Change command KEYINFO to print ssh fingerprints with other hash algos. * dirmngr: Fix build problems on Solaris due to the use of reserved symbol names. * wkd: New commands --print-wkd-hash and --print-wkd-url for gpg-wks-client.- Update to 2.2.14: * gpg: Allow import of PGP desktop exported secret keys. Also avoid importing secret keys if the secret keyblock is not valid. * gpg: Do not error out on version 5 keys in the local keyring. * gpg: Make invalid primary key algo obvious in key listings. * sm: Do not mark a certificate in a key listing as de-vs compliant if its use for a signature will not be possible. * sm: Fix certificate creation with key on card. * sm: Create rsa3072 bit certificates by default. * sm: Print Yubikey attestation extensions with --dump-cert. * agent: Fix cancellation handling for scdaemon. * agent: Support --mode=ssh option for CLEAR_PASSPHRASE. * scd: Fix flushing of the CA-FPR DOs in app-openpgp. * scd: Avoid a conflict error with the "undefined" app. * dirmngr: Add CSRF protection exception for protonmail. * dirmngr: Fix build problems with gcc 9 in libdns. * gpgconf: New option --show-socket for use wity --launch. * gpgtar: Make option -C work for archive creation. - Removed patches that are included upstream by now: - 0001-libdns-Avoid-using-compound-literals.patch - 0002-libdns-Avoid-using-compound-literals-2.patch - 0003-libdns-Avoid-using-compound-literals-3.patch - 0004-libdns-Avoid-using-compound-literals-4.patch - 0005-libdns-Avoid-using-compound-literals-5.patch - 0006-libdns-Avoid-using-compound-literals-6.patch - 0007-libdns-Avoid-using-compound-literals-7.patch - 0008-libdns-Avoid-using-compound-literals-8.patch- Fix build with gcc9 [bsc#1121223] * Avoid using compound literals - Upstream bug: https://dev.gnupg.org/T4367 * Added upstream patches: - 0001-libdns-Avoid-using-compound-literals.patch - 0002-libdns-Avoid-using-compound-literals-2.patch - 0003-libdns-Avoid-using-compound-literals-3.patch - 0004-libdns-Avoid-using-compound-literals-4.patch - 0005-libdns-Avoid-using-compound-literals-5.patch - 0006-libdns-Avoid-using-compound-literals-6.patch - 0007-libdns-Avoid-using-compound-literals-7.patch - 0008-libdns-Avoid-using-compound-literals-8.patch- Update to 2.2.13: * gpg: Implement key lookup via keygrip (using the & prefix). * gpg: Allow generating Ed25519 key from existing key. * gpg: Emit an ERROR status line if no key was found with -k. * gpg: Stop early when trying to create a primary Elgamal key. * gpgsm: Print the card's key algorithms along with their keygrips in interactive key generation. * agent: Clear bogus pinentry cache in the error case. * scd: Support "acknowledge button" feature. * scd: Fix for USB INTERRUPT transfer. * wks: Do no use compression for the the encrypted challenge and response. Release-info: https://dev.gnupg.org/T4290 See-also: gnupg-announce/2019q1/000434.html- Security fix: [bsc#1120346, CVE-2018-1000858] * Cross Site Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF. * Added patches: - gnupg-CRL-fetching-via-https.patch - gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch - gnupg-CVE-2018-1000858.patch- Update to 2.2.12: * tools: New commands --install-key and --remove-key for gpg-wks-client. This allows to prepare a Web Key Directory on a local file system for later upload to a web server. * gpg: New --list-option "show-only-fpr-mbox". This makes the use of the new gpg-wks-client --install-key command easier on Windows. * gpg: Improve processing speed when --skip-verify is used. * gpg: Fix a bug where a LF was accidentally written to the console. * gpg: --card-status now shwos whether a card has the new KDF feature enabled. * agent: New runtime option --s2k-calibration=MSEC. New configure option --with-agent-s2k-calibration=MSEC. [#3399] * dirmngr: Try another keyserver from the pool on receiving a 502, 503, or 504 error. [#4175] * dirmngr: Avoid possible CSRF attacks via http redirects. A HTTP query will not anymore follow a 3xx redirect unless the Location header gives the same host. If the host is different only the host and port is taken from the Location header and the original path and query parts are kept. * dirmngr: New command FLUSHCRL to flush all CRLS from disk and memory. [#3967]- Code no longer uses libcurl, remove from buildrequires.- Update to 2.2.11: * gpgsm: Fix CRL loading when intermediate certicates are not yet trusted. * gpgsm: Fix an error message about the digest algo. * gpg: Fix a wrong warning due to new sign usage check introduced with 2.2.9. * gpg: Print the "data source" even for an unsuccessful keyserver query. * gpg: Do not store the TOFU trust model in the trustdb. * scd: Fix cases of "Bad PIN" after using "forcesig". * agent: Fix possible hang in the ssh handler. * dirmngr: Tack the unmodified mail address to a WKD request. * dirmngr: Tweak diagnostic about missing LDAP server file. * dirmngr: In verbose mode print the OCSP responder id. * dirmngr: Fix parsing of the LDAP port. * wks: Add option --directory/-C to the server. * wks: Add option --with-colons to the client. * Fix EBADF when gpg et al. are called by broken CGI scripts. * Fix some minor memory leaks and bugs.- Make package build reproducible (boo#1047218)- Update to 2.2.10: * Refresh expired keys originating from the WKD * Use a 256 KiB limit for a WKD imported key * New option --known-notation * dirmngr: Validate SRV records in WKD queries- Add basic udev rules for smartcards to be used with scdaemon, taken from debian: * scdaemon.udev- GnuPG 2.2.9: * dirmngr: Fix recursive resolver mode and other bugs in the libdns code * dirmngr: When using libgpg-error 1.32 or later a GnuPG build with NTBTLS support does not anymore block for dozens of seconds before returning data. * gpg: Fix bug in --show-keys which actually imported revocation certificates * gpg: Ignore too long user-ID and comment packets * gpg: Fix crash due to bad German translation. Improved printf format compile time check. * gpg: Handle missing ISSUER sub packet gracefully in the presence of the new ISSUER_FPR * gpg: Allow decryption using several passphrases in most cases. * gpg: Command --show-keys now enables the list options show-unusable-uids, show-unusable-subkeys, show-notations and show-policy-urls by default. * gpg: Command --show-keys now prints revocation certificates. * gpg: Add revocation reason to the "rev" and "rvs" records of the option --with-colons. [#1173] * gpg: Export option export-clean does now remove certain expired subkeys; export-minimal removes all expired subkeys. * gpg: New "usage" property for the drop-subkey filters.- Added gnupg-CVE-2018-12020.patch: Sanitize the diagnostic output of the original file name in verbose mode (bsc#1096745, CVE-2018-12020).- Update to version 2.2.8: * gpg: Decryption of messages not using the MDC mode will now lead to a hard failure even if a legacy cipher algorithm was used. The option - -ignore-mdc-error can be used to turn this failure into a warning. Take care: Never use that option unconditionally or without a prior warning. * gpg: The MDC encryption mode is now always used regardless of the cipher algorithm or any preferences. For testing --rfc2440 can be used to create a message without an MDC. * gpg: Sanitize the diagnostic output of the original file name in verbose mode (bsc#1096745, CVE-2018-12020) * gpg: Detect suspicious multiple plaintext packets in a more reliable way. * gpg: Fix the duplicate key signature detection code. * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, - -disable-mdc and --no-disable-mdc have no more effect. * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the list of startup environment variables. - Refresh gnupg-2.0.18-files-are-digests.patch to gnupg-2.2.8-files-are-digests.patch- GnuPG 2.2.7: * gpg: New option --no-symkey-cache to disable the passphrase cache for symmetrical en- and decryption. * gpg: The ERRSIG status now prints the fingerprint if that is part of the signature * gpg: Relax emitting of FAILURE status lines * gpg: Add a status flag to "sig" lines printed with --list-sigs * gpg: Fix "Too many open files" when using --multifile * ssh: Return an error for unknown ssh-agent flags * dirmngr: Fix a CNAME problem with pools and TLS. Also use a fixed mapping of keys.gnupg.net to sks-keyservers.net * dirmngr: Try resurrecting dead hosts earlier (from 3h to 1.5h) * dirmngr: Fallback to CRL if no default OCSP responder is configured * dirmngr: Implement CRL fetching via https. Here a redirection to http is explictly allowed * agent,dirmngr: New sub-command "getenv" for "getinfo" to ease debugging- GnuPG 2.2.6: * gpg,gpgsm: New option --request-origin to pretend requests coming from a browser or a remote site. * gpg: Fix race condition on trustdb.gpg updates due to too early released lock. * gpg: Emit FAILURE status lines in almost all cases. * gpg: Implement --dry-run for --passwd to make checking a key's passphrase straightforward. * gpg: Make sure to only accept a certification capable key for key signatures. * gpg: Better user interaction in --card-edit for the factory-reset sub-command. * gpg: Improve changing key attributes in --card-edit by adding an explicit "key-attr" sub-command. * gpg: Print the keygrips in the --card-status. * scd: Support KDF DO setup. * scd: Fix suspend/resume handling in the CCID driver. * agent: Evict cached passphrases also via a timer. * agent: Use separate passphrase caches depending on the request origin. * ssh: Support signature flags. * dirmngr: Handle failures related to missing IPv6 support gracefully. * Allow the use of UNC directory names as homedir. [#3818] - Dropped gnupg-CVE-2018-9234.patch since it is included upstream- Added gnupg-CVE-2018-9234.patch: Enforce that key certification can only be done with the master key, and not a signing subkey. (bnc#1088255 CVE-2018-9234)- GnuPG 2.2.5: * gpg: Allow the use of the "cv25519" and "ed25519" short names in addition to the canonical curve names in --batch --gen-key * gpg: Make sure to print all secret keys with option --list-only and --decrypt * gpg: Fix the use of future-default with --quick-add-key for signing keys * gpg: Select a secret key by checking availability under gpg-agent * gpg: Fix reversed prompt texts for --only-sign-text-ids * gpg,gpgsm: Fix detection of bogus keybox blobs on 32 bit systems * gpgsm: Fix regression since 2.1 in --export-secret-key-raw which got $d mod (q-1)$ wrong * scd: Support the KDF Data Object of the OpenPGP card 3.3 * scd: Fix a regression in the internal CCID driver for certain card readers * dirmngr: Improve returned error description on failure of DNS resolving * wks: Implement command --install-key for gpg-wks-server.- Use %license (boo#1082318)- GnuPG 2.2.4: * gpg: Change default preferences to prefer SHA512. * gpg: Print a warning when more than 150 MiB are encrypted using a cipher with 64 bit block size. * gpg: Print a warning if the MDC feature has not been used for a message. * gpg: Fix regular expression of domain addresses in trust signatures * agent: New option --auto-expand-secmem to help with high numbers of concurrent connections. Requires libgcrypt 1.8.2 for having an effect. * dirmngr: Cache responses of WKD queries. * gpgconf: Add option --status-fd. * wks: Add commands --check and --remove-key to gpg-wks-server * Increase the backlog parameter of the daemons to 64 and add option --listen-backlog. - Not enabled features: * New configure option --enable-run-gnupg-user-socket to first try a socket directory which is not removed by systemd at session end.- GnuPG 2.2.3: * dirmngr: Fix crash in case of a CRL loading error * gpgtar: Fix wrong behaviour of --set-filename * gpg: Silence AKL retrieval messages * agent: Use clock or clock_gettime for calibration * agent: Improve robustness of the shutdown pending state- GnuPG 2.2.2: * gpg: Avoid duplicate key imports by concurrently running gpg processes * gpg: Fix creating on-disk subkey with on-card primary key * gpg: Fix validity retrieval for multiple keyrings * gpg: Fix --dry-run and import option show-only for secret keys * gpg: Print "sec" or "sbb" for secret keys with import option import-show * gpg: Make import less verbose * gpg: Add alias "Key-Grip" for parameter "Keygrip" and new parameter "Subkey-Grip" to unattended key generation * gpg: Improve "factory-reset" command for OpenPGP cards * gpg: Ease switching Gnuk tokens into ECC mode by using the magic keysize value 25519 * gpgsm: Fix --with-colon listing in crt records for fields > 12. * gpgsm: Do not expect X.509 keyids to be unique * agent: Fix stucked Pinentry when using --max-passphrase-days * agent: New option --s2k-count * dirmngr: Do not follow https-to-http redirects * dirmngr: Reduce default LDAP timeout from 100 to 15 seconds * gpgconf: Ignore non-installed components for commands - -apply-profile and --apply-defaults * Add configure option --enable-werror- GnuPG 2.2.1: * gpg: Fix formatting of the user id in batch mode key generation if only "name-email" is given. * gpgv: Fix annoying "not suitable for" warnings. * wks: Convey only the newest user id to the provider. This is the case if different names are used with the same addr-spec. * wks: Create a complying user id for provider policy mailbox-only. * wks: Add workaround for posteo.de. * scd: Fix the use of large ECC keys with an OpenPGP card. * dirmngr: Use system provided root certificates if no specific HKP certificates are configured. If bu- GnuPG 2.2.0: * New long term stable branch, replacing the 2.0.x series * gpg: Reverted change in 2.1.23 so that --no-auto-key-retrieve is again the default boo#1054088 * Fixed a few minor bugs- GnuPG 2.1.23: * gpg: Options --auto-key-retrieve and --auto-key-locate "local,wkd" are now used by default. Note: this enables keyserver and Web Key Directory operators to notice when a signature from a locally non-available key is being verified for the first time or when you intend to encrypt to a mail address without having the key locally. This new behaviour will eventually make key discovery much easier and mostly automatic. Disable this by adding no-auto-key-retrieve auto-key-locate local to your gpg.conf. * agent: Option --no-grab is now the default. The new option --grab allows to revert this. * gpg: New import option "show-only". * gpg: New option --disable-dirmngr to entirely disable network access for gpg. * gpg,gpgsm: Tweaked DE-VS compliance behaviour. * New configure flag --enable-all-tests to run more extensive tests during "make check". * gpgsm: The keygrip is now always printed in colon mode as documented in the man page.- GnuPG 2.1.22: * gpg: Extend command --quick-set-expire to allow for setting the expiration time of subkeys. * gpg: By default try to repair keys during import. New sub-option no-repair-keys for --import-options. * gpg,gpgsm: Improved checking and reporting of DE-VS compliance. * gpg: New options --key-origin and --with-key-origin. Store the time of the last key update from keyservers, WKD, or DANE. * agent: New option --ssh-fingerprint-digest. * dimngr: Lower timeouts on keyserver connection attempts and made it configurable. * dirmngr: Tor will now automatically be detected and used. The option --no-use-tor disables Tor detection. * dirmngr: Now detects a changed /etc/resolv.conf. * agent,dirmngr: Initiate shutdown on removal of the GnuPG home directory. * gpg: Avoid caching passphrase for failed symmetric encryption. * agent: Support for unprotected ssh keys. * dirmngr: Fixed name resolving on systems using only v6 nameservers. * dirmngr: Allow the use of TLS over http proxies. * wks: New man pages for client and server.- GnuPG 2.1.21: * modified gnupg-2.0.18-files-are-digests.patch to work with obs-sign again bsc#1039899- GnuPG 2.1.21: * gpg,gpgsm: Fix corruption of old style keyring.gpg files, regression in 2.1.20 * gpg,dirmngr: Removed the skeleton config file support New installations no longer generate a configuration file. In the absence of a file, SHA-2 family hashes are used. Existing configurations are not touched. drop gnupg-2.1.19-stronger-defaults.patch FATE#323084 * gpg: Fixed import filter property match bug. * scd: Removed Linux support for Cardman 4040 PCMCIA reader. * scd: Fixed some corner case bugs in resume/suspend handling. * Many minor bug fixes and code cleanup.- GnuPG 2.1.20: * gpg: New properties 'expired', 'revoked', and 'disabled' for the import and export filters. * gpg: New command --quick-set-primary-uid. * gpg: New compliance field for the --with-colon key listing. * gpg: Changed the key parser to generalize the processing of local meta data packets. * gpg: Fixed assertion failure in the TOFU trust model. * gpg: Fixed exporting of zero length user ID packets. * scd: Improved support for multiple readers. * scd: Fixed timeout handling for key generation. * agent: New option --enable-extended-key-format. * dirmngr: Do not add a keyserver to a new dirmngr.conf. Dirmngr uses a default keyserver. * dimngr: Do not treat TLS warning alerts as severe error when building with GNUTLS. * dirmngr: Actually take /etc/hosts in account. * wks: Fixed client problems on Windows. Published keys are now set to world-readable. * tests: Fixed creation of temporary directories. * A socket directory for a non standard GNUGHOME is now created on the fly under /run/user. Thus "gpgconf --create-socketdir" is now optional. The use of "gpgconf --remove-socketdir" to clean up obsolete socket directories is however recommended to avoid cluttering /run/user with useless directories. * Fixed build problems on some platforms.- Use stronger defaults for new users, using SHA-2 digest family for certificates and message signatures - FATE#323084 adding gnupg-2.1.19-stronger-defaults.patch- GnuPG 2.1.19: * gpg: Print a warning if Tor mode is requested but the Tor daemon is not running. * gpg: New status code DECRYPTION_KEY to print the actual private key used for decryption. * gpgv: New options --log-file and --debug. * gpg-agent: Revamp the prompts to ask for card PINs. * scd: Support for multiple card readers. * scd: Removed option --debug-disable-ticker. Ticker is used only when it is required to watch removal of device/card. * scd: Improved detection of card inserting and removal. * dirmngr: New option --disable-ipv4. * dirmngr: New option --no-use-tor to explicitly disable the use of Tor. * dirmngr: The option --allow-version-check is now required even if the option --use-tor is also used. * dirmngr: Handle a missing nsswitch.conf gracefully. * dirmngr: Avoid PTR lookups for keyserver pools. The are only done for the debug command "keyserver --hosttable". * dirmngr: Rework the internal certificate cache to support classes of certificates. Load system provided certificates on startup. * Add options --tls, --no-crl, and --systrust to the "VALIDATE" command. * dirmngr: Add support for the ntbtls library. * wks: Create mails with a "WKS-Phase" header. Fix detection of Draft-2 mode. * Many other bug fixes and new regression tests. - dirmngr: use system certificate store- Rewrite descriptions- GnuPG 2.1.18: * gpg: Remove bogus subkey signature while cleaning a key (with export-clean, import-clean, or --edit-key's sub-command clean) * gpg: Allow freezing the clock with --faked-system-time. * gpg: New --export-option flag "backup", new --import-option flag "restore". * gpg-agent: Fixed long delay due to a regression in the progress callback code. * scd: Lots of code cleanup and internal changes. * scd: Improved the internal CCID driver. * dirmngr: Fixed problem with the DNS glue code (removal of the trailing dot in domain names). * dirmngr: Make sure that Tor is actually enabled after changing the conf file and sending SIGHUP or "gpgconf --reload dirmngr". * dirmngr: Fixed Tor access to IPv6 addresses. Note that current versions of Tor may require that the flag "IPv6Traffic" is used with the option "SocksPort" in torrc to actually allow IPv6 traffic. * dirmngr: Fixed HKP for literally given IPv6 addresses. * dirmngr: Enabled reverse DNS lookups via Tor. * dirmngr: Added experimental SRV record lookup for WKD. See commit 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 for details. * dirmngr: For HKP use "pgpkey-hkps" and "pgpkey-hkp" in SRV record lookups. Avoid SRV record lookup when a port is explicitly specified. This fixes a regression from the 1.4 and 2.0 behavior. * dirmngr: Gracefully handle a missing /etc/nsswitch.conf. Ignore negation terms (e.g. "[!UNAVAIL=return]" instead of bailing out. * dirmngr: Better debug output for flags "dns" and "network". * dirmngr: On reload mark all known HKP servers alive. * gpgconf: Allow keyword "all" for --launch, --kill, and --reload. * tools: gpg-wks-client now ignores a missing policy file on the server. * Avoid unnecessary ambiguity error message in the option parsing. * Further improvements of the regression test suite. * Fixed building with --disable-libdns configure option. * Fixed a crash running the tests on 32 bit architectures. * Fixed spurious failures on BSD system in the spawn functions. This affected for example gpg-wks-client and gpgconf.- Remove the fixme, condition around fdupes- add runtime dependency to match runtime version check for libksba- GnuPG 2.1.17: * gpg: By default new keys expire after 2 years. * gpg: New command --quick-set-expire to conveniently change the expiration date of keys. * gpg: Option and command names have been changed for easier comprehension. The old names are still available as aliases. * gpg: Improved the TOFU trust model. * gpg: New option --default-new-key-algo. * scd: Support OpenPGP card V3 for RSA. * dirmngr: Support for the ADNS library has been removed. Now using bundled libdns, enabling Tor support on all platforms. New option --standard-resolver can be used to disable this code at runtime. * dirmngr: Lazily launch ldap reaper thread. * tools: New options --check and --status-fd for gpg-wks-client. * The UTF-8 byte order mark is now skipped when reading conf files. * Fixed many bugs and regressions. * Major improvements to the test suite. For example it is possible to run the external test suite of GPGME.- GnuPG 2.1.16: * gpg: New algorithm for selecting the best ranked public key when using a mail address with -r, -R, or --locate-key. * gpg: New option --with-tofu-info to print a new "tfs" record in colon formatted key listings. * gpg: New option --compliance as an alternative way to specify options like --rfc2440, --rfc4880, et al. * gpg: Many changes to the TOFU implementation. * gpg: Improve usability of --quick-gen-key. * gpg: In --verbose mode print a diagnostic when a pinentry is launched. * gpg: Remove code which warns for old versions of gnome-keyring. * gpg: New option --override-session-key-fd. * gpg: Option --output does now work with --verify. * gpgv: New option --output to allow saving the verified data. * gpgv: New option --enable-special-filenames. * agent, dirmngr: New --supervised mode for use by systemd and alike. * agent: By default listen on all available sockets using standard names. * agent: Invoke scdaemon with --homedir. * dirmngr: On Linux now detects the removal of its own socket and terminates. * scd: Support ECC key generation. * scd: Support more card readers. * dirmngr: New option --allow-version-check to download a software version database in the background. * dirmngr: Use system provided CAs if no --hkp-cacert is given. * dirmngr: Use a default keyserver if none is explicitly set * gpgconf: New command --query-swdb to check software versions against an copy of an online database. * gpgconf: Print the socket directory with --list-dirs. * tools: The WKS tools now support draft version -02. * tools: Always build gpg-wks-client and install under libexec. * tools: New option --supported for gpg-wks-client. * The log-file option now accepts a value "socket://" to log to the socket named "S.log" in the standard socket directory. * Provide fake pinentries for use by tests cases of downstream developers. * Fixed many bugs and regressions. * Many changes and improvements for the test suite. - drop upstreamed patches: * 0001-common-Follow-up-to-14479e2-fix-void-return-in-non-v.patch * gnupg-2.1.15-bsc993324-status-output.patch- avoid mixing up status and colon line output - bsc#993324 add gnupg-2.1.15-bsc993324-status-output.patch- enable web key discovery tools- Add an explicit runtime dependency on libgcrypt >= 1.7.0 to match runtime version check- GnuPG 2.1.15: * gpg: Remove the --tofu-db-format option and support for the split TOFU database. * gpg: Add option --sender to prepare for coming features. * gpg: Add option --input-size-hint to help progress indicators. * gpg: Extend the PROGRESS status line with the counted unit. * gpg: Avoid publishing the GnuPG version by default with --armor. * gpg: Properly ignore legacy keys in the keyring cache. * gpg: Always print fingerprint records in --with-colons mode. * gpg: Make sure that keygrips are printed for each subkey in - -with-colons mode. * gpg: New import filter "drop-sig". * gpgsm: Fix a bug in the machine-readable key listing. * gpg,gpgsm: Block signals during keyring updates to limits the effects of a Ctrl-C at the wrong time. * g13: Add command --umount and other fixes for dm-crypt. * agent: Fix regression in SIGTERM handling. * agent: Cleanup of the ssh-agent code. * agent: Allow import of overly long keys. * scd: Fix problems with card removal. * dirmngr: Remove all code for running as a system service. * tools: Make gpg-wks-client conforming to the specs. * tests: Improve the output of the new regression test tool. * tests: Distribute the standalone test runner. * tests: Run each test in a clean environment. * Spelling and grammar fixes. - fix build error, adding 0001-common-Follow-up-to-14479e2-fix-void-return-in-non-v.patch- GnuPG 2.1.14: * gpg: Removed options --print-dane-records and --print-pka-records. The new export options "export-pka" and "export-dane" can instead be used with the export command. * gpg: New options --import-filter and --export-filter. * gpg: New import options "import-show" and "import-export". * gpg: New option --no-keyring. * gpg: New command --quick-revuid. * gpg: New options -f/--recipient-file and -F/--hidden-recipient-file to directly specify encryption keys. * gpg: New option --mimemode to indicate that the content is a MIME part. Does only enable --textmode right now. * gpg: New option --rfc4880bis to allow experiments with proposed changes to the current OpenPGP specs. * gpg: Fix regression in the "fetch" sub-command of --card-edit. * gpg: Fix regression since 2.1 in option --try-all-secrets. * gpgv: Change default options for extra security. * gpgsm: No more root certificates are installed by default. * agent: "updatestartuptty" does now affect more environment variables. * scd: The option --homedir does now work with scdaemon. * scd: Support some more GEMPlus card readers. * gpgtar: Fix handling of '-' as file name. * gpgtar: New commands --create and --extract. * gpgconf: Tweak for --list-dirs to better support shell scripts. * tools: Add programs gpg-wks-client and gpg-wks-server to implement a Web Key Service. The configure option --enable-wks-tools is required to build them; they should be considered Beta software. * tests: Complete rework of the openpgp part of the test suite. The test scripts have been changed from Bourne shell scripts to Scheme programs. A customized scheme interpreter (gpgscm) is included. This change was triggered by the need to run the test suite on non-Unix platforms. * The rendering of the man pages has been improved. - drop upstream gnupg-make_--try-all-secrets_work.patch- Fix date call as the curlified parameter for sure are not parsed correctly by escaping it with %- Fix upstream bug 1985: --try-all-secrets doesn't work when decrypting messages encrypted with --hidden-recipient, fixes unit tests of the duplicity package. Adding gnupg-make_--try-all-secrets_work.patch - record the fact that gpg-error 1.21 is required- GnuPG 2.1.13: * gpg: New command --quick-addkey. Extend the --quick-gen-key command. * gpg: New --keyid-format "none" which is now also the default. * gpg: New option --with-subkey-fingerprint. * gpg: Include Signer's UID subpacket in signatures if the secret key has been specified using a mail address and the new option - -disable-signer-uid is not used. * gpg: Allow unattended deletion of a secret key. * gpg: Allow export of non-passphrase protected secret keys. * gpg: New status lines KEY_CONSIDERED and NOTATION_FLAGS. * gpg: Change status line TOFU_STATS_LONG to use '~' as a non-breaking-space character. * gpg: Speedup key listings in Tofu mode. * gpg: Make sure that the current and total values of a PROGRESS status line are small enough. * gpgsm: Allow the use of AES192 and SERPENT ciphers. * dirmngr: Adjust WKD lookup to current specs. * dirmngr: Fallback to LDAP v3 if v2 is is not supported. * gpgconf: New commands --create-socketdir and --remove-socketdir, new option --homedir. * If a /run/user/$UID directory exists, that directory is now used for IPC sockets instead of the GNUPGHOME directory. This fixes problems with NFS and too long socket names and thus avoids the need for redirection files. * Speedup fd closing after a fork. - drop upstreamed gnupg-fix-signature-checking.patch- add gnupg-fix-signature-checking.patch (bsc#981020) https://bugs.gnupg.org/gnupg/issue2351- GnuPG 2.1.12: * gpg: New --edit-key sub-command "change-usage" for testing purposes. * gpg: Out of order key-signatures are now systematically detected and fixed by --edit-key. * gpg: Improved detection of non-armored messages. * gpg: Removed the extra prompt needed to create Curve25519 keys. * gpg: Improved user ID selection for --quick-sign-key. * gpg: Use the root CAs provided by the system with --fetch-key. * gpg: Add support for the experimental Web Key Directory key location service. * gpg: Improve formatting of Tofu messages and emit new Tofu specific status lines. * gpgsm: Add option --pinentry-mode to support a loopback pinentry. * gpgsm: A new pubring.kbx is now created with the header blob so that gpg can detect that the keybox format needs to be used. * agent: Add read support for the new private key protection format openpgp-s2k-ocb-aes. * agent: Add read support for the new extended private key format. * agent: Default to --allow-loopback-pinentry and add option - -no-allow-loopback-pinentry. * scd: Changed to use the new libusb 1.0 API for the internal CCID driver. * dirmngr: The dirmngr-client does now auto-detect the PEM format. * g13: Add experimental support for dm-crypt. * The man pages for gpg and gpgv are now installed under the correct name (gpg2 or gpg - depending on a configure option).- GnuPG 2.1.11: * gpg: New command --export-ssh-key to replace the gpgkey2ssh tool. * gpg: Allow to generate mail address only keys with --gen-key. * gpg: "--list-options show-usage" is now the default. * gpg: Make lookup of DNS CERT records holding an URL work. * gpg: Emit PROGRESS status lines during key generation. * gpg: Don't check for ambigious or non-matching key specification in the config file or given to --encrypt-to. This feature will return in 2.3.x. * gpg: Lock keybox files while updating them. * gpg: Fix possible keyring corruption. (bug#2193) * gpg: Fix regression of "bkuptocard" sub-command in --edit-key and remove "checkbkupkey" sub-command introduced with 2.1. (bug#2169) * gpg: Fix internal error in gpgv when using default keyid-format. * gpg: Fix --auto-key-retrieve to work with dirmngr.conf configured keyservers. (bug#2147). * agent: New option --pinentry-timeout. * scd: Fix regression for generating RSA keys on card. * dirmmgr: All configured keyservers are now searched. * dirmngr: Install CA certificate for hkps.pool.sks-keyservers.net. Use this certiticate even if --hkp-cacert is not used. * gpgtar: Add actual encryption code. gpgtar does now fully replace gpg-zip. * gpgtar: Fix filename encoding problem on Windows. * Print a warning if a GnuPG component is using an older version of gpg-agent, dirmngr, or scdaemon. - disable running test which no longer work - remove 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch is now upstream - the PIE options are implemented in the upstream build, and spec code broke the build. The only remaining broken executable was gpgsplit, which was removed from the package- add g13, an experimental tool for accessing encrypted storage with with GnuPG (cards)- fix fingerprint ambiguity (bsc#958891) * https://bugs.gnupg.org/gnupg/issue2198 * add 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch- Move to pkgconfig() packaging style- GnuPG 2.1.10 adds TOFU (Trust-On-First-USe) and anonymous key retrival via Tor. * gpg: New trust models "tofu" and "tofu+pgp". * gpg: New command --tofu-policy. New options --tofu-default-policy and --tofu-db-format. * gpg: New option --weak-digest to specify hash algorithms which should be considered weak. * gpg: Allow the use of multiple --default-key options; take the last available key. * gpg: New option --encrypt-to-default-key. * gpg: New option --unwrap to only strip the encryption layer. * gpg: New option --only-sign-text-ids to exclude photo IDs from key signing. * gpg: Check for ambigious or non-matching key specification in the config file or given to --encrypt-to. * gpg: Show the used card reader with --card-status. * gpg: Print export statistics and an EXPORTED status line. * gpg: Allow selecting subkeys by keyid in --edit-key. * gpg: Allow updating the expiration time of multiple subkeys at once. * dirmngr: New option --use-tor. For full support this requires libassuan version 2.4.2 and a patched version of libadns (e.g. adns-1.4-g10-7 as used by the standard Windows installer). * dirmngr: New option --nameserver to specify the nameserver used in Tor mode. * dirmngr: Keyservers may again be specified by IP address. * dirmngr: Fixed problems in resolving keyserver pools. * dirmngr: Fixed handling of premature termination of TLS streams so that large numbers of keys can be refreshed via hkps. * gpg: Fixed a regression in --locate-key [since 2.1.9]. * gpg: Fixed another bug for keyrings with legacy keys. * gpgsm: Allow combinations of usage flags in --gen-key. * Make tilde expansion work with most options. * Many other cleanups and bug fixes.- enable tests for PPC64 again, the problem from bsc#935887 went away- Improve upgrade to gpg2 from security:privacy w.r.t. libassuan run-time dependencies (boo#955982)- GnuPG 2.1.9: * gpg: Allow fetching keys via OpenPGP DANE (--auto-key-locate).\ New option --print-dane-records. * gpg: Fix for a problem with PGP-2 keys in a keyring. * gpg: Fail with an error instead of a warning if a modern cipher algorithm is used without a MDC. * agent: New option --pinentry-invisible-char. * agent: Always do a RSA signature verification after creation. * agent: Fix a regression in ssh-add-ing Ed25519 keys. * agent: Fix ssh fingerprint computation for nistp384 and EdDSA. * agent: Fix crash during passprase entry on some platforms. * scd: Change timeout to fix problems with some 2.1 cards. * dirmngr: Displayed name is now Key Acquirer. * dirmngr: Add option --keyserver. Deprecate that option for gpg. Install a dirmngr.conf file from a skeleton for new installations. - update gnupg-add_legacy_FIPS_mode_option.patch for context change- GnuPG 2.1.8: * gpg: Sending very large keys to the keyservers works again. * gpg: Validity strings in key listings are now again translatable. * gpg: Emit FAILURE status lines to help GPGME. * gpg: Does not anymore link to Libksba to reduce dependencies. * gpgsm: Export of secret keys via Assuan is now possible. * agent: Raise the maximum passphrase length from 100 to 255 bytes. * agent: Fix regression using EdDSA keys with ssh. * Does not anymore use a build timestamp by default. * The fallback encoding for broken locale settings changed from Latin-1 to UTF-8. * Many code cleanups and improved internal documentation. * Various minor bug fixes.- GnuPG 2.1.7: * gpg: Support encryption with Curve25519 if Libgcrypt 1.7 is used. * gpg: In the --edit-key menu: Removed the need for "toggle", changed how secret keys are indicated, new commands "fpr *" and "grip". * gpg: More fixes related to legacy keys in a keyring. * gpgv: Does now also work with a "trustedkeys.kbx" file. * scd: Support some feature from the OpenPGP card 3.0 specs. * scd: Improved ECC support * agent: New option --force for the DELETE_KEY command. * Dropped deprecated gpgsm-gencert.sh * Various other bug fixes.- do not run checks on ppc64 for now- GnuPG 2.1.6: * agent: New option --verify for the PASSWD command. * gpgsm: Add command option "offline" as an alternative to - -disable-dirmngr. * gpg: Do not prompt multiple times for a password in pinentry loopback mode. * Allow the use of debug category names with --debug. * Using gpg-agent and gpg/gpgsm with different locales will now show the correct translations in Pinentry. * gpg: Improve speed of --list-sigs and --check-sigs. * gpg: Make --list-options show-sig-subpackets work again. * gpg: Fix an export problem for old keyrings with PGP-2 keys. * scd: Support PIN-pads on more readers. * dirmngr: Properly cleanup zombie LDAP helper processes and avoid hangs on dirmngr shutdown. * Various other bug fixes. - remove documentation make workaround, fixed upstream- Enable workaround for missing dependencies everywhere- fix build with openSUSE 13.2 and earlier, call make to compensate for incorrect documentation dependencies.- GnuPG 2.1.5: * Support for an external passphrase cache. * Support for the forthcoming version 3 OpenPGP smartcard. * Manuals now show the actual used file names. * Prepared for improved integration with Emacs. * Code cleanups and minor bug fixes.- info deinstall needs to be in %preun- update to 2.1.4: * gpg: Add command --quick-adduid to non-interacitivly add a new user id to an existing key. * gpg: Do no enable honor-keyserver-url by default. Make it work if enabled. * gpg: Display the serial number in the --card-staus output again. * agent: Support for external password managers. Add option --no-allow-external-cache. * scdaemon: Improved handling of extended APDUs. * Make HTTP proxies work again. * All network access including DNS as been moved to Dirmngr. * Allow building without LDAP support. * Fixed lots of smaller bugs.- update to 2.1.3: * gpg: LDAP keyservers are now supported by 2.1. * gpg: New option --with-icao-spelling. * gpg: New option --print-pka-records. Changed the PKA method to use CERT records and hashed names. * gpg: New command --list-gcrypt-config. New parameter "curve" for --list-config. * gpg: Print a NEWSIG status line like gpgsm always did. * gpg: Print MPI values with --list-packets and --verbose. * gpg: Write correct MPI lengths with ECC keys. * gpg: Skip legacy PGP-2 keys while searching. (drop 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch now upstream) * gpg: Improved searching for mail addresses when using a keybox. * gpgsm: Changed default algos to AES-128 and SHA-256. * gpgtar: Fixed extracting files with sizes of a multiple of 512. * dirmngr: Fixed SNI handling for hkps pools. (drop hkps-fix-host-name-verification-when-using-pools.patch now upstream) * dirmngr: extra-certs and trusted-certs are now always loaded from the sysconfig dir instead of the homedir. * Fixed possible problems due to compiler optimization, two minor regressions, and other bugs. - refreshed for context changes: * gnupg-2.0.18-files-are-digests.patch * gnupg-add_legacy_FIPS_mode_option.patch- Add hkps-fix-host-name-verification-when-using-pools.patch to fix hkps support w/ pools. Upstream commit dc10d46.- Ensure secure memory can be used with default 64k memlock limit Fixes [boo#915931], removes gnupg-large_keys.patch - Removed gnupg-remove_development_version_warning.patch, obsolete - Removed gnupg-2.0.4-install_tools.diff, replaced by spec install - Removed autoconf requirement and autoreconf calls thus obsoleted- Fix invalid packet read error when reading keyrings [boo#914625] add 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch- update to 2.1.2: * gpg: The parameter 'Passphrase' for batch key generation works again. * gpg: Using a passphrase option in batch mode now has the expected effect on --quick-gen-key. * gpg: Improved reporting of unsupported PGP-2 keys. * gpg: Added support for algo names when generating keys using - -command-fd. * gpg: Fixed DoS based on bogus and overlong key packets. * agent: When setting --default-cache-ttl the value for --max-cache-ttl is adjusted to be not lower than the former. * agent: Fixed problems with the new --extra-socket. * agent: Made --allow-loopback-pinentry changeable with gpgconf. * agent: Fixed importing of unprotected openpgp keys. * agent: Now tries to use a fallback pinentry if the standard pinentry is not installed. * scd: Added support for ECDH. * Fixed several bugs related to bogus keyrings and improved some other code. - in gnupg-2.0.18-files-are-digests.patch, change buffer_to_u32 to buf32_to_u32 from host2net.h to match upstream changes - now requires automake 1.14- update to 2.1.1: * gpg: Detect faulty use of --verify on detached signatures. * gpg: New import option "keep-ownertrust". * gpg: New sub-command "factory-reset" for --card-edit. * gpg: A stub key for smartcards is now created by --card-status. * gpg: Fixed regression in --refresh-keys. * gpg: Fixed regresion in %g and %p codes for --sig-notation. * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA. * gpg: Improved perceived speed of secret key listisngs. * gpg: Print number of skipped PGP-2 keys on import. * gpg: Removed the option aliases --throw-keyid and --notation-data; use --throw-keyids and --set-notation instead. * gpg: New import option "keep-ownertrust". * gpg: Skip too large keys during import. * gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or dirmngr. * gpg-agent: New option --extra-socket to provide a restricted command set for use with remote clients. * gpgconf --kill does not anymore start a service only to kill it. * gpg-pconnect-agent: Add convenience option --uiserver. * More translations (but most of them are not complete). * To support remotely mounted home directories, the IPC sockets may now be redirected. This feature requires Libassuan 2.2.0. * Improved portability and the usual bunch of bug fixes. - removed patch not part of upstream release: gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch - refresh for context changes: gnupg-2.0.18-files-are-digests.patch gnupg-2.0.4-install_tools.diff - refresh for upstream code changes: gnupg-add_legacy_FIPS_mode_option.patch gnupg-detect_FIPS_mode.patch (MD5 removed)- Support for large RSA keys This involves compiling with --enable-large-rsa and - -enable-large-secmem, as well as patching the number of secmem bytes and IPC bytes to slightly larger values. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739424 * added gnupg-large_keys.patch- update build requirement versions that changed with 2.1.0- fix buffer overflow in OID to string conversion function [boo#907198], adding gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch- obsolete dirmngr (shipped with gpg since 2.1.0) - spec cleanup after previous update - get rid of "THIS IS A DEVELOPMENT VERSION" warning http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html * added gnupg-remove_development_version_warning.patch- upgrade to 2.1.0 (modern) - The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported. - All support for PGP-2 keys has been removed for security reasons. - The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key. - Support for Elliptic Curve Cryptography (ECC) is now available. - Commands to create and sign keys from the command line without any extra prompts are now available. - The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog. - There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed. - Problems with importing keys with the same long key id have been addressed. - The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way. - A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings. - Revocation certificates are now created by default. - Card support has been updated, new readers and token types are supported. - The format of the key listing has been changed to better identify the properties of a key. - The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement. - Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use on TLS servers. - dropped patches: * gnupg-2.0.20-automake113.diff * gnupg-2.0.18-tmpdir.diff (socket is created in homedir now) - refresh most of the remaining patches - added new BuildRequires: gnutls-devel, pkg-config, npth-develibs-power9-11 1700758092 2.2.27-150300.3.8.12.2.27-150300.3.8.1dirmngrdirmngr-clientdirmngr_ldapdirmngr.servicedirmngr.socketdirmngrCOPYINGCOPYING.CC0COPYING.GPL2COPYING.LGPL21COPYING.LGPL3COPYING.otherdirmngr-client.1.gzdirmngr.8.gz/usr/bin//usr/share/doc/packages/gpg2/examples/systemd-user//usr/share/licenses//usr/share/licenses/dirmngr//usr/share/man/man1//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:31603/SUSE_SLE-15-SP3_Update/dec7b1f9876cca7e89f253f05f9356a8-gpg2.SUSE_SLE-15-SP3_Updatedrpmxz5ppc64le-suse-linuxELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=370773efb88d9f6ca17c26064d7c6016a36cc0bb, for GNU/Linux 3.10.0, strippedELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=e7f70714f292900050f7d12afa3b2f315ea7ff4b, for GNU/Linux 3.10.0, strippedELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=d744a88f54dd8617d743a5e3ea54182c55b1c79e, for GNU/Linux 3.10.0, strippedASCII textdirectoryUTF-8 Unicode texttroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) RRR RRRR RRRRRR RR RRRRRRR RRRRR RRR RRRR RRR R̍0q. rutf-800cb2381b3ddc03e5e071319ec38784721efcb06b0c864182fd7da8da4742ae8? 7zXZ !t/)C]"k%U4o8#i=8 rAyBL`:CGFZ SNBvMwGCc>@[%˛NpKu^Re}`{}/>,' < <C{>Dqd5㼳gi~=0hW rhuhD;VUD\ksF*%s2W1KD*{^T+֨ hO}ds5Ɏ[Dbq_E:ښ3Ju(l/A y0o"[vyfn)Fi7ϕPU.&1J4RaOS4"*bKSuu(=mKRb.T*4S3JfDZ|x" £g8Xn0v+7׸Th /5c%J&K\'Qx&P:@ތ#ܦ).V)ˎ0H|AqzNcZP pFTᬋG-Vܧbj5+yKU=%k6Tf_ltKƧ:&ff0 ?:!rq#v.[E (oPM?GOtӱ05W@_֗VNթ)d!unN>[kȸ4e ‚2ŅE{uZlL9d#3Ҙ8أ)~fz=U[2G_]3FP6'Zys`x'-i H Y}5v+eŪx智"0ѥ˒*w# J T|$x¹ɸ~wСAI;lԠh%ژ_G%:a_D\|ZDa>"v|"g_k * A/_-LdwJƬ&\㪤o/f4|˛*emvCջffw3j;J +oH'MrCѲ=5?,ǿKb7U{a!Yře\0Ӻ$-jxn\E퍰t"I~9mkSk!2gz*<[ D{LQ`!/My6ut}d(M@.V{ C:73!D2+}Z޾=Gkb1f ֱ^AJSLXh3-zAIV!g0א˸GH zYA\B2t)L5[*"mSG2H-|O}6Jx o5 ^:2mJpu죿Ob j㱠%fRN Ac(Wİ';jHJ>Sa)~ d_RvI[.*P:atݭ4rS]? UY]Z\8 [2<ЪFlmL]Z -* ߓu5̮7u8^AQHPBԏ.XB?)ޑ9Gf-Q~HW?וٯ.s,z撢(;:*^c 8Ns!B I)icfqqSg34nD0n j#[~4:7ڝ`-ਗXn.1[=XN i*N9kO^y,?vluV(|%)hSh:'lkaǽ! +fZ#1R{nf\>%3mN"CVk7Y ,Sܭ^GJ8_͆lm|L.5 Ѱ (W9tQPLonynlE C0{7@z /įEmHeE:°52!іMNQ 5kMdhfP#co $>Z=r"Zpèh󻶳tSƦst3ZFEV^ /P$ǦRn D"zrxwKm?HJGBo9aw.Ů%ͪi~zZMwr:|ѯfMYŹCj8zTh"z%~\"Z}M1h`wG=Zے|8`9-EQ K+,IGkfHi`s,6PƌPy59'A+>Y#B٩ֺ`NxV^iŵsA>?מߣ.Q7') pAo17^RTZ&-~mY5P;8$ @0l@ I0`#cC*qM Jc_|h1F,˶%WtM R||6g(}9B[pkvq|Hy.zR? B~DAEKZC)uK'캘nsbJ2`0͜= :!+8iJխyҋyy\ J˻.?Yu !PWjJy|si.>2Ct3srWcƤx֑8Y kv|pR9ne\YC1Ԥ@o={ w~a5- }9 w!c FGč)]--q#{YJTF+lț qn-fq||.Ӊ:.}wn {DaVS-AcTg:v@BoN\0z}!$ zԢƄh-".0nq~\^slCPn٘&9;f&a22Pn>-HK[ޤpA}JY65ݢWϬ }rNCr獈u·JWYble&Eǔa<f[YHFh1!Kh$@zs@NJ*c~@cTWMyMY2҆!+TșzL P.ٗ8)ab66?Q=scu&k)@q-_tUjz۔}F±za9).'SEF9ARg.e) \N+K>̪UjTF?_^HdZNJ ;n $H}w[ Z~E)g=*VzFbm^BV()IZ]? C?# CfU]m 1 |т$ vph t3ՇSqdћ#þx.l>:TLaEQ7GR2\MhbQ|ĂCgU%0n2co@B1}zyUz y+꒰jWf QZFu^j~ٞPھغF8ANYd+'C >[Eמ*Zsгr^4 NF{bo *n"%gcNAS_E4P .Rz87O7 .s\)62*sI۞51"堀Dww)$ g]RXdL$\>]3$wP㵐J.ȗ\Z~[Gx!24|^/ex+SGK?كz }nX2J>]~CkxOo߫Suay9~]W|D GTCBnKꨐaF|Euo(.PG42=(%o=7<1RN/ DB Vr;tӭH#dS!'1iyXҊPH8a(M{28e/&dO㥏9ϵg%+HbW$)L.%>Y!IG(CŘ.E1vX/H=&1Hri"Vy!'a+GJcbw>xW?/S{HL^h2\^;y2ֳ[iM a3Mct EX~ًQ.9;I<ˋFhr fl:=s=wuCCjsu9ը/[UTα`RbQ_q="? fD92P6 ƕI]\țeKqVW3nJaC! _NjYGdtJn\im4[JtɈrL*M蝲hY3 } \ # ̀a\uҿZYN=jڱ#_L'<# IGnv>Ovj | o瀮.B?j[I!/݀%C@5AF%Wjѡ.R\W eeS_o#Cfm*ϟs'gp%D-T&(\*6 [r3+( HvIr0k`B8Y|W[Z7$06/a7^mFbzryeNFZ{H~o4 6@_)BȋLQPs_z|Oi!Dd/He?A"IH3*o ;:'pCi?mcFI Ju&$,A]=So&ӕԭB/u|5EH;oRr%>An/D{9rhO̹Ul%7H Z2d]Ze]T* fnk,\`VTAokz#'o]xt&eτ MbMĕFu i"N{^ 3*!N:a~7[YٗBsFJ02 jNqoZǿ)vr!bOhk#v7/H\²`WF.;,q&I"9a` u͋u{kM+А kAcܘbԒŞ3{[.ǹ+%] W<5ʀ?&Ҕ=Fo|yl[ڪ ]2(U=z#8W1yH@ЛcµɧtH$sT{*j-W+Z1^J&V ugH{vNZBr(BL+lƨi 6 Fٵ$K7I˞Ek:$`\x$O|H&r4 .՗ع@g΂v͕NY} }90pQUc\mr( aoPNMDp;M3 Q<yv%} Ŏ̹`cod4S?M?IvБ~^^-z@dםp :^йYYFsN %Tÿ5 eYER֠^񥖅\>~v#4i%3Կ?\@8CJ΃g1<#]"r?|O\PK DŽʫӧ3Ϭo6T/nAg'-0IR턾6(Sǩ~Dzn'TdoR{ߘa{nG ?@:o[ԲkFtҏwPp8rUg,vX6#a ³wG/B?]b< Dз8M@ ֱ*Fʒ * KGH4ab+u7*m\bʏ[cͻ9hiʘv0j)gcFvY6€ -UGMy-;Aah$6 <]wE 7?3b(IuWj!uЙ ێwnɖMi@1Y&)5J ^_"<^:L>hX{1 */3*IquN&C'r|f%Y@pK.1Dl_vuPF|j% (Y\2'kxN4_zrؙ$K 1 6CSN2 _f r* R=c$2LQ">w .YK v4URf6 *A5D#\\.?/ao~+X qxgQPpNjl+4$Ʒ%5 4ŵ c' \$K^ly9MҌe-| ~!uPIRM}AH|AG Z1!UWӽ`b ρkH=iHڛi݇K'#ES⫛oSi],Rj$~_g_s[@ZVG^Ͽ*FXlNAX1 ӝ\M3>Xm誁fIR2bh 9^`K$uXpbd\ƫ C pv#kLFmr9GC A:o 7LJc.#ڵt҄(O Q:FϓqjKOhtfHI׬86N$ʿ6is5Mv10.~Z3~ ^H&Ȝ"vG4r+WͲ{{׆0_d/ UmTΒ Ӳl PJMZU= y!`ZbL,pIӷhC8҂?ב?5BȺ% ?Uڒo͠rϿdW:HqX񁺤2ՙWђY3!xꎬ@[|Jkȭk7 7ӴX0`ߌш)VU%rFG6CØłs:gZ=bɞ63xBbaK;Ȧ; %=%¬HjG2¨MW_T5;l7-r0ϼÑ'sYp'z}^a=|7Gbz|20e՟L?v ura'ZCiKm5OF/pD%o:S?*,SFuB̑@Ե< ?50;I+<ʿ@}a\oczڈ`._ hCyб•,A3>xx6SC">~%k @TF!8%Jؔ.'D)Fv{C[pX2NA`Eﴮlx(/d}-Rfx^Uܔ-ڙԡ4*_fyQ7t#EL^k4S9`>G8dŪÄ輪.YGK@@W4!g|ZIB||SAay+.Ov1o%vg̀p&LO`HxN@lUd1Z0ܮ\C[|*10gnԭFiM{ DQ''Md*%y;Ayf4 *lթ!3NN\KfE$9HI4LPU םVɭC;-!AnV| n0P0\TJmּ Q̗1J푔5א LTʚ;VѺ7y^p9o[E:F$iOhJ%uwHMKbg`?^zQbm%m4xh UVK *D.NxPYSυ |$N&vjZ (& T/1<|.R$օ]c!呈B͞KDVčؗiКS>XL{HA4=7xi:[NV9Bv΢@nFGX^giNKHcJՇ?/I$D ,JsϘR9r+͛cܕ E8, i%]AwRUbt!Xq]6KSit1Cz;Foqs@O5r!s\Qݍj`X,Ucc 6oSqqVQ(Ϝ^u)?+i q8 ѼU s,  E Mݕ4 DZz? 3?o<#YJG;E:״.=e/׏/ d Cd^-6(X)k%R^xčrqr D*vl+jۋl^QQG|cr׾E,% ĎO"l(K i^nVdCug?*S<\a_ n'%gI;:YD&46Kq3O#dHm2bsBmKulP&x=ΏF~1GųNT&߬qvg}S#1L;c %<}'~M A啄A3a|"<t˶I-ɒv_>[̳¯ޕo3⒢ӱVo ۥn;vo]2L;a56C_9a";_z:^?ϻ-+6@5`MeLN^NBtVH;Z1uAk,4j(HsKWr1Ӽ*/JD%@}sT􌫢SUEwU<ʬ@?stz/64j,F#YƢ8;K9W9h PE:bT:ɢNϕ^OU[,4VTEdws鸷?<&Sbs\m& 8 9ICA{5Օ+N",0de\>Ҫ7tFIo>fbl4LtR *f1n]ո$ GVΤ@>+-۞I`7a` ՁudՃn/??px Fg/.|FaW)uO0<ך1(N07pPyE"֟H~Ѭ;9={wiIqW-9~fN\18Å BqXh&Gv4[׈GV@vM]2;oz2>)e 5?ӊ^chhj0 [k&QҔoSRP:|j-Jn]:|<p˂W^ ǝ|rA.9?χidSˣxGF>#M< o `q| Aݏ{qptm1W@نm(bO[WeokC".Z׏Q*P%~%]!]@]"q\{4\J kbL:(tqv<m}Cv6^>Fsl+l[D4D]yt44 z\׺myJ)CA-0Uu pL;)-]6%9PԵGy4=A\e vqk>^k+Ȥ'kw|rt:7p ǿЛ|M/>Ԛcp"d-{\77nn:b)(Ľ.0KzKv3[-tiò\Ӓ,?e-.b-A"IRL9?Gx_ hؘͪP@DWAS3 @wàEk*sw~h*j:ݻ ܴfҬ@O1)+ޤLfAF:>|ojbW;BxKm޽L2Q{8պnE_أ0|:ynD$z+c˖FR0)G ΘhĹFN8+)JP]WtV1n#d y&"XbB%qy+MyN2 }9=y/@rpHe ؓ+#Asuo9B-=''syʊLl*iL:"AOH-ziiѹl En4 5Y` aϩDq|GdU vLƺ[^Ov DƒƱ%Ƒ<7MJqLmZ:g=L_oZ,b_c9s.J^0Cy@ǂd+AxN3<9 kxe.:u. bB0B3+jO'x&Z1}EUko5UN.C-@ìP(QB~%ܢ] 1GU/QLM%Ѐ^YCATl*U'ڝ IPl,JE JO1ijh_ atou'[*5j$Ҟ|l o8 πX#<:ٞiY^C+Z4-6o6ٯUJrD'&xulAʺ[,|Zradq89~UDv&,]F8(PK >dZpۏZ._+MH?YU 5ẫVI,ylr>BrctOu}TqGܢO ms;i^34d pQ_zQ`ڢ[ 09l,7GoKlc&Q;x kV H 0sF $jrcmc,2Hyd 1@ *W'R7MO%aISujV(c n3Nw*`Uׅ8 ĚAtɛy 4ƀ}DNQ)$ E43{B&7RrpWe(DL~!:ck"#WG$kxBe ZڋhSՊ+@@N*&ߧ[CF&d ei>B,/;:yJ]*psBTC/l~Ljan> }Jɦ;ĝXd+y>|dXK;ڌ-x2?*<$8ѿBճ"vXuC‡0}j ̛\cLQ6XЃ){,7]̨>]k1qur0f BGq c__?EOZj$xb=4cqi)>H% N픊wK;{GNYdfG2. 3,t-s dLdd$/>£8E%Ю-*r; !T?*enH_C1+5.d6 Co6س#t9rb^5-ZM&}H^-n=$g'b(CơK:>K勬ރ}iT&(b= p .>u 7䉘~H;^:"R!mps5o4>V@k;+ӆst%(ZQ2ǤyCE=Jk`L$Ψ%Ә%7ĭ`Aaq['C0Șm7ܵ26^ʧB YLijnoO<:kyc1ȑϪ9Ƌێs$#fA4A%C~%!L E$J D t|HeʔiԺ,@ѣț[}P'ݛn#_~`L>& 5ym%;<3{Y՟o-;HlkYbpebƄV,e~O%._.z &HTp'y}0:\`"ALjJ~eSSxլ BMDw(;3V#amZ]:?B@ZTvqF+2&גNG+%g\׍)>r'gm=^lDu9hс<mʢbwS+E|7k :\WuuQѼ`xn`FOv'g˝>U*2WNaFw@>S˺ׁ7F 3h"-1*Ւ߷'.`9+}iiX0=\l|G*$~ p<.%pm`l9&&as" B E \'" /V &5@o:2|wK6Fk+  \fK{V]#Y.9jae%d>ę 6(I'*z=է[,)JgNr Ős'rX-/s&r@ZJHpC~)7&Gv"pmmjw=" Dg'KQIX&/h9% 7ŖZ$I_:tJs7;Uc, %]#B,4ohQ`d8e͵ONBFNrE-`\6;c@KbMkTq%J,\F?eŶJŢR hVx#[Lx 釻u/3/lLd@6 el;\'e8G閯E3y@^&\3Sú*mOڠ=ǔn-_tjH6(%Be~ƕNL[o ? _6U'>T,Tc1+cvZlA߁Bɗ)^FG7FQ@Z="}S'~=>֘A%d`@܋4Y*2 1qgIl 5k(%wזTuPfWoUW1p-Hslh4/D;G[]pz2x]#A:$M®rdt-|2{ܐ6C۔e[d gJQVCt՛otI;SGpciT, ]V; ;=NL+=C?r&d AUfqfsX4šoܱkv0'ڬIq6Rb}̰eDF7m&4"8S&K(p$Zo '= Yb9) +j&E4g(B 5&QWoǶ4:Z`pH yֿ@5!ςcj\_Bk Y _ b煞NI,1@2R, V|Tg$*{@tqɼ@_IoD*TJB?'y;q,hə]dTdݒ YHP<:CS A'|KAkmgoTow;kJJbdU04vOOEqW~܂y4* xZ2 F+a #E~2q<bF->S d]yXkښ39gOS>xFlߦ=J4J9춂n5]ͯ{j)$-; @FJSblcyrs(6u5@5JU%RړT9gK\ߥM#fB6*"h"ѐ~{C2>4LF!u/]`,h zFH~{)CظY͎b T{@%{{m;eBvEI:\{WD#;CNoaʌŒ_AuN#k,v ,$ؔޛHyO `4UUwJlI*Gfcԑt|&^C~jufXat"[vh͒m~=yҰD" yT5I!&L_&wկEnY]nnD)Ey}\YEZ\XGyJW!i_1+so˼`DLb5vrO'0Q%8lB<\هGXU#IԳ͡vϧ\%R3+sH Zz9fL;4.e߯`yIaC 旿=!@XՉ'*ũYPzem3LBמàt)K5^XSt{\w$eg'ZP1w);N/a;EfC;,ˢa< |;3d{hdB)gHEs;91+w"֥qf̞Ō$8L~h`#F#/S$yr@)8)@1(>0==cpAڏg,4Ek28PzOD Nٳ90 Nv(QqrSac] ^Uӕ}HSMkBjPX~[Y<=#>9bߌ8ȥeDpᅅT Ħ,,AK47J6a$}5VrP:V3*LR" FA|}gJ.ul> էQ vQn^jE#0jS $| p%GqlW-cu/L< Gw"KH]to  Y1BxJf巵7SWV PW^',?0pj@Z@Q懱*թ$l \!W*dLC'&]EbĤ~[S5;0u;+BqU!R@+^VOӥ9> BAkrY\ U1X;״ܫ(Z}lp2o2f웹@ֺZ27#`#å=&ϛFrDa{1e$,,[f@kڨO-i`N"o'^P +ox4{ & ]) TwڰaD%H٠/?lr+ ѳp8O:"T"X@hJc'^km#O6ӟtXjlq8.e=*aJԷ@?kFs]vd~zISFLXJaRi2jpNi@/&S,Q0^x^7| ]<\Za![{ɝ[!@BV84w ?ꏓLzS;{sf!_2lCۜ= kl^h7Ĺqa)]1*Rdj_N.<>?˸?5h:rf~ fـguHO4c؄>Wl눹;fу&F_# ^m3jQ˘lq;swdՅ5WeͿK0Y]OhćSD KHWcgL6X1.zSR/ ǃu_: ZQ[l4˴Nԙ2e`W Ga$Bnل*ntﷹ-?ZZKG6ˇ\^,!ڵĠc t̻8 6Xv`3t  )4[Gm.nɁMiU;c4o䝠w;Jj\P ln[!o4SE-%? ^|УH.uT`7R_l4R^*#6,2zxYL'b G`@IGu*H URl哢^%" Y0 7]Dӊհ}*Ya-.Vڙ!nxN4S8o<ڌ#ef O ?Aaہd;vI%fr3.;N N)]ӼY/ղ pvQٮ:;͵VꔧOeYϑ =ki@F -A')fkyӑ1*&'qD} `W~*չeM4%=kw䴖8F{z'C/]QXm!E-aQ3lA7m}bm;pnӳW*i\ $ Z7f ›8Ь73l?~y @iD6ah +V#AD5adw=R1Cvmieoyb;z (# ڀsfL4~@5v\hj`Frj50ռ>둹Yo-HX3: {6We"[M37.ǐ&`b"i!8=~*K8 361j Ƿ'Sr[tgnŠZ) sb88g#hx2[%Bf>S*ɼ—̟1@5=ٛX Q0lZVǮlG_ ~)M]+qˉX+'͘Oan)t,%K*ǡK NP[:uz+oxZxB!$ڷny#|ED}IW0'MvvD&E=C`WAnD/->S[hA{7&FCi"&~ . M_=7j~gnIkdi2)+瘁va>ܴZ`` ƙGk=y>~Jxi Řyzaƨ=.o8;#%^YAq ­VJsȍ?"kӦoZ\,٪BCL`K¡FW\e+}U%q,mM$B$^m'=0>g%#ʕή> a B!g?x %Ƥ\L.jTtIUR}%W߬^ŭӄ:zTBL`R#bўbodk,=#^_r bd-5qiRXhYހ0Q+yuAV`zʼnluH $gd|YA{W`Ƭ^ +rC 7wVOɯ5WlGomV_{Ha?E|igABYa*Fm<<;_qQCRYDG/=PV0* H`ZtqSW:[ʕ|ލ3‰@8 Q%my~v{/ZXP*mWD1dsL%yܢcZb@4yv/R~gÇys'}t8wW? z%})}߱~Y xTN6sUs,6.㓜,(wh[N! e~i8qڅ&tA1]̪.z"Xf%{r#(6!lW@@s/"o^dgL;E)A]uuΠeQ+| U(IW:X!+rwŔ?}5%آRPq&'bzH2K\hw*> jFq+`ºI&r߷qe(hwdxrY,#6SUӚ3;]nOƿ$zfzfŸzPhF?Z$X,.>2nqK e_*5H|[甆;S4q=`0XF>BҕIJd)ɵWZѣT 1>oo].S 5_K_BS2+B<6!˅Y-*~=UsLTyеP~G/$8~Ã=pJ8+?%}=n4eK+\bDi;Ҙ"ҧ`YX}J[.<|ې_( Yuyj謋)-= |{T Bf-UJ ́ ta"~{7$qt@];l.[zҊ$f[_|qMo_UdUSv5Yi>Dm3?~dj20\WqD"Xcվ[[tL-؜F7YF3qs%}ܬjb0[lЌ+^i0O-T{;4 P7K.)PyɃm>t(SJЈg=yAs@nt1mz{)cdGUؠZep$ߺx}꘍`vѐCɿ5И]ZD\# WHt{CrNjˏ& a"nGVTuԟFfK m+uS8}W%[v;p~njQ~%'ÑB3-@_'!t;ڎnl[kvu@ot]]Yze1h\u)RREP|msԢ V&cӘ0iKة\S] { G3Gc*!0 ~0sWJ<93؋."ѦzqOwh(xJ݇@v!)بnP-PGS*)\ik,;aZn7|S쪏I*9D^>N:}(!& {EQN~F1/^Kpu_a F_ >(KOl3)FC0M+Q^8 JNߘ`8xREYݻi -t8{a}_ޞynPZ|S262RƫҪ?L௭dgW?}*iMOE "i` mOsd/T1xk>cNr[Y0-!!$)QrT?Zf9Tpn&V۳h4Du\L=;ewmljWWAIe>S*|}wy~{-#:O!+ZEc5kOK->K0U ] *V/WLYCQ݁rJmLÀԐw?6q~*6JxbE8xaa.!voܶ`#y-m1p4e0 d#AͺSI9*^o-1Z#v{>vO)2FlYݟ9>kOVAJQA{C 0"E ePpq?+.rvidM7% >ݫJ ƼrN\T;B;S_mL<=-Ë~]Lv:/FEOsy OX8IX7i$JGdg[O1/P=V woEZ;Oj.К"Xee)<*o`:RpC3sڣ}42^d\DֻѺ,QX=z4\Ir;;B.'%73< <.ݵp؁ LM)Yc W\e.V t/FQmD6E@*/_h3%A䟵cMo?ZM5([5wk*/d菵 BCT)Ǿ%v[lA]&X2=UxprMH3s5cP_l$ےy a &ycCĞ 9TlM:O5qT+h+ktJkھ}APiK4\?Ú i5Q]U,}BIM35hӪ ~3E'e*LK|j((f VyrCO$nA`< Eb)MHݐn>@Aޮl{[9 qѡ6t.^v`|C4^d/}~ p'qQ5En9*6V۶ZߎTVfxND>;xvjkH*Ȇ3C׸؞C߉` >^#mtJ@q\` Ys*_.Ʌf_X䪵kڧqӓ kgR1N pŠ.ycg1=#$b-v"vn)c?ʲ8Syȗt 쟣=CQ`E j(%S9{0|iBOu0=3H" k9|Jp.W-;/E TPgH^Rp ~gŋ+; j'2cB7_Hcʺu2^%O'kSB_j}]D:eaE_o\0$i"H)R-iletO/.gfs $CԳ?AK=۫3`6zsrD9ngFQJmlmSA1`z셺jmy6m--񯺭zIϛpB67a@ԙ4/2)&?,*M('4$C W8{3P@-[3v7xGp~ڸx`&sߖїyOO"*fڣ]mWuOR",Lc(lGWs/b7i hٵNlTlA} bLb <7+,G-[ i;obK!OxI}' ~mij;r>U#Zϧ%rU9= ΁Yͱ{W3qOӣ,D&)l\'9/˅-F ۅ[)mڏwJWEE&^qYМhVW)EtHOރ?ʫ?-9cqw.?ʴhW_%/K sو{ Q 'Ɉ[ΟVɱ.j얒7M6 )WN`D:`z[e0G.5[ݐX![(t5zM4A_nml5r(Fﭗ~ ;"˹#P91VHP fâ';-^9ơ)ȥ|n} zz*1+5| k4QAr3Aj{S1L:FmDYQ(o"n F?-tHn@zRoL<z3v,<tO(_gB:P<9i~ٲr}{ ,OѨ[Cn%(fUFrcal GWGqEc_Ff ~G"<S~5s`xV鴼||$[I@ums2qq^t_r(S6ާ/?9^B#͹KMkJtwi>Uw,((9*SF./|_]oϵ>OMU*iC8>A2dIq2<>7I eT:9uXd"8|*> 3&\&ٯQIo-Zk~WI> v{qg,赽AR;iZ ]5; 9/WINO_Ѷia~*C@qB)dg?= 7{ӢpgÂ}ag8HG3 M1A~ar}}o{P%~lIK|0\*e彆R$v8l䜔wzuӶB\!9=m?E'p%%jt0g,{}q&[-RQ*hP_t?YзD|5$XWf'c}u> X`m?IχZ8;ZFʭWPHR.ڴٿꐀ h',]:EC7U[I>H\Mvb`.l o2(`l= 6^#YeSsH\Isl)%#Q0MĂ$} B gWIDlUhU\mddZ0:! ]!?pqH8뎁vFN>ZJSy+f=ӆ=%r}2a JbÙ~ϻgQ mЉwrS(7 8%X{]: y0_(?0O/epύ=X&㢯Ӱ1aȿXӌ֤D,|uo8QG2x?>A;cgɥI0x{U̐Q';оϣwQ1@9\~-1ZjvFN|-4xoqS&+m9ÿ !uX(_I*эAaU=RN|Fْ!0eī M6#ZJ6/ºCIbT=gɚEm.G14h.oHXDF+L`{SW:($NyK6{)oA ȱi 5fW"A՝w#x'dGG`2НxIsgMڬ Bς˟zبbfL's+=bZ#!06*oް>7|c}\fƹ1Qs6xT y=-&a+Q$Yӹc^Q,8rCB['k9v u蜛0e7Z_4H ;7ط"fa! lgRuV;5nIU zdm2)BҧΌVIepl3U e]֤fdu.J~բ3{1Ke~{Z(3Sr"Ɛ/ҼʮΘ u q> GDbHZ1`0Z` %&G霎,;NiüGg!RIq ҥXtV+ Z_+OM$G!DuOCW.n"@M,Xv>;O8qM=PdPbks#E&sQ<^)8/:-(k|fwIjdn_bth`Zۏ)2+xZ5|̸֌`@[=u+%e7Q4J? h&lJȔVi+s j.k`|4+qp[b/ҔpewֵtsX!ɲqup^8L w߄ǭ&ꝉE9e/T\(<3lT5> J80oe^S-a~:zpZSGCEk_g 20H#5d?i|5B/?M>,Qu!_>vY֘C t}Y W3=Kv"L41F0={1qPQs lt\UYp`&%{4kǮn pkmvܲa:}*jݐeiޟYy (+T3'+̱^T¹0t 45FMW-|1i/aO!QCQX"(FԷZl`pרT0h!I|b.=4)׷}&QC7GYp|Kx(7:I-9陦_J!9S$!g`Tٍ8wlZA}D./dKN34c4Hw>K}{]EwyQDzZCȱ.tY:*1Dٲ (JFv < ͋G&\NJ;a= :`h2s)G 8$b͖WvA-aض~^85mQ=#}@Z|PBbk\U\!K1iOې~ߋ'z<msԊY/wH5.ٱŢC&ܦu=ԕ`e^EEkKa2ڌǫZ} &*q.RFW8qC8"P`%mXLTH tL'LWR^0_^@rPpڹAASCd37Y*$y)(pSq+XkCDW kcݨE'Ʋ0 n=EC'3F^Hw-UBHd3m2V#ޟ]Ybe@&lOa1^5LSC ^ze+;FUKo)!+V'JP~Js 1)UMf<,=q4}@h{;ۙEfn,+~֎;h6dZd2Q:sOpҒz8Y#Ӓ;"wQw M0y6R%HԮkf?U>T8[sm> qmhrFm_k.iN*km<5FyoMVvc܎E&yz,cDT.6E!\+u |OBJ\+ !iM裇DCF S*v`XZ7R=]lGuq N _拙ӰT.6u,iP}/ƼvkƎ#y.7zwq)I5n+<5d!d]'IQw/;  ň8MɁ(W q}*qaNJ^p}!1J0ϔ@BsAHȏQX0)a#Zy0d<r`I͋]ŤoE9E/l dlmnZ336D1C^~$\%GhπұW>kHZ)j3 &6er%"`Dzʑ"=%WhgA5#ҵ ZKnue\6[)ܓgcϺ0{èGvA: ZMOc`g<9Ɛ8RUCZ6i I+}/w]oFĨ,!F䜸yhwv}(2?ohm$7[{Tӫ.G M?mgO8}=v-{̒oT{.{*9"#5&c2.W߳R%rӨUQkpʤrtb۬\aaO0f @A p.3*)lCOOx_y#nfrl9 }eOnwtLdDDϤf PwD~4w:|#E 0QQaJh\> "y N_z U2? KN})cmilʄдVE JIAY!wtZn^ 4}3DEK[SG-> x PseʹMӸd4b%Wi~)eX)./\-V@{W-K _1.B KvC<'rq6整q* E`ޖJNZT8"=hY.aX2sks>C~㠠z݋0J8Lm~{%%zK;:-hp#cȧreß8GCDr鈻2&il/.WXqfhz<qÞdždwRȿTfd(XSEҵb^嘿@+ c[?N05- Z#\ʫp.ڄfiߎv;)Fmpj&yj/F+tf`-&qAV:oq3hUy viKdΉmYDY?YSQ/6nFxگ%.gNA?x74fQksO}&zvqә j0*q3@ͪQ auT5>| B ^w䆍`O>ȹtjkriim%xdE{?\XI?/c|cw 2 ~`ގ?Vsi6 9;輄$SF:tSimCz`_M4SnҴ:u+sBd"DXVtT-ƿ\~/OqiWߠ.*Ԧ6$LiNaPibl~nqڍ^745}( ;Wd4(lkl# *NSgPG}>*{`ؗySH9<<z:RIx#Ăm2ݑW +Ą g(q\3@lC<@(Y&,p97Kj2beTE}^ ԞTk<.{g "X,<4B ֆOjr>'wG}6b u#1ynm| }[bD<1]2L  EN̤:9^a,ͭPJW7@l+}EjQW#!}6=L9슛vB,]$\k8&׉-؈;$ر<~WќAx /7fώK F; :+!V=3"ּ ^BWO84e=w6T[U"d2a#fu4ZSFMR@68|d<6hA?wcwT AVh2cH1Y/~G '/IV}R <,C&&w,b&LGYry3 y M$8u/L>AUO;Qk2?gy'~ѓpr_[a..K/w^ B}W"Œ} PK:/ (^.K_}B5ṃ%e>:]uFI&PMuEm;~ڹó1_: ^ ԧቍto)?  /%CfY7sa1zGGckI̦XPqϡNqlz[駧%_~7;#m0o,ϸF-elE J知V1eZ{q  rUI(QH~A\Hs 89nU{y-Uu"u>rЛn [ A@ ͕aPL3k6b|WnTh[Yhmq.\| PKStuZi"}W;<5YRm`)X 5o @AQ눲vvlM?[:q!6;y ݼ W?D( y6JNWu. -:8GJpaSb;*Qߵ2\ku͑o!Y'gڊ*oPyz ,wN:Z7CZj7(4?SҞ-RXpTVMU'jb?uvٓԩI#^PXAsm#Hn?0{/i0 JWPͲ;/2? MY?G-[eRgYM3;Nk&EeK3}R t6Ds#$B %|h?d|"!$A9S̭3Cbqa:e1ɿ=Xf&olPl5 rY- %W: ©2e7J@(L>`v mH[z$4m ($U !lX2ؕ ݡ6j ]s%u>V>\LVD%U!&8l8]Yt3,]sG%)K O(GF!֢aܤv7G\%pL{4k^fj{xKb7K P.g.!tOaeNݧ/LRC!mm/ZعhQeϒi!#ȝ(B IoRJWtSaW=U(35Rﺮ4A*L C0R [?\֊k.<1|oJo[+#yD)݋bMu[rSuX?~]B^ ɛH,,eQD,XwY6t@{SvltSֆ ˌ#̪?ߥ ߼GWb8dY0T@X$^~[ߕNT\!툘o\ShܷDFڌv3-QN??8djɾAoJ1_#)6%SnO~ ħ廩#കsvx1\Nko#8} EB5TXμmq̙rO~юPxh'$zxXY;٘RY9|st\uul/'Ȓd D0L-{Dְ`ݳ2nLcF[[ /q/p7z[XKM7hQU< gz9p-Bp^xB~ AR} s3znZ-O<=d|Pa;IW  kQvift.L#˿2;9R)5=&֔J񧦂L6?Y)KzJ1gAʥ-G!tPn aYMfRyگq)[{HSH@zT@jwL Ey w>壜_@eZE58`I^ſta< |k56X3q5.g^pЪ갨n&_v1SgA`cd. Jxf2Đ~l֣,igQ\RↃ)n Xy7 1h`e<71pn:1>32>:Zy?`4t\:W$`r  jGc=1(@}|i%ŧՐP!r' Bu#(8\2ޚ\N4LR2vŲS+ )?>'!}m&3rN褢p˩!r=H= T dqc H.21Z`~/Ogc_)pAoJ ױ Ciq_0 `j>Q9FkF1$<Vf#k]=(sӰ5TX+s1Q <}rP zQufpw̖AJq2~8ae+¨^r8.)>{81 ΟϦ)l|δ뾕xD/}'0R QڡLucUqfI^Ȗ ŧ17jbsdZgQi X"杜҇ǕoW3ACWvY);fT69Vd }FOP42bah:K@Ȏ1eٻᔛT&c;X#L) j2&,U:BW y$,Z6 a޲7e*]zYYbLL/}C ,giS޾88APF=Esz f]5Ƥkś+Sk s:e!r 0kŽrV>}l٩0gV4֨}ᕼ C+V\5 Ha%&%eU[HLs'^Mk"gm bKǥ A 55uµhb5qNPX? y*^;\(U:,6ja/(|-;q]g)5,(#YȌCxF, "~oUGקeCPu̎iJ"0Fe6Br" CSRM%D0g˄"K4wJ9OX&%N2=X"/XϨm#N `ƣZ2';7aM8ΗlcC{}c6XnG{`zt!!YtPs%[ $6}%2 3D}&,6,G\‹0gEIag%WFޘ4'j{`O`'$ɮj)QDQ ߡBܷ%"u)<0QXCI15 &vbØ_B;!lI+$j~-\,Y 9Pkm`^`Mw-i5.48u Ԉ4kޗ| ::΄5/>E3EZܝ8$j6s* Dޫ=Ug>Tro~ת-bEͿRSK J+ţ:[Fa!,Π)zI&Ō=&2lcع. k?]"qdN,o"5A8 yryM_Ұy|ZNu3Z5j8y`yj٥l ;(Vy@*@"W,lԟWXXIP1^B@A5tQ"7BjnWLHNƴ]P}W* L(&dP8{3][t蜋l"(ضҒҴ%^?KC${ G|1ڽj" H0)I}]g bFM? s-e(S]^/у2f lGXwBa=u6AȚ_UI` 4泩Yw[ȋHpc0uY 48BYsa*ucft 5IEc t4:o gCE~59h6VI H7/Ksϣ0uF:egzcm@ʢvZ&@Lj&ZnWRP +\C~q ;8qlGzS=xZ#:etyx@<wS<6 r@q/JIHh24vmIˆiM﨣}eTJ`va'NTޜAߩ6ީ\C{@ :8,FU:.'=W#aaKSssEE*FhM(I|sReZWV;/%ݛ'EYR$^כgoQ/L|W/b6_䩉)1վ)db8!(WQ`-)%[pwDZJ@^`>qw(h/׿(gPagn[~rZ񙆞NQ$R|<Vm7Djh>Gl fП.%eG=7$vU"y9}7)~j/<HGTSoMbc 9q_xewEyPww:ӳJ.:A;}6?w]2K2X|Pz(^&+ ŀ}`D;3čr iIRr\vC[xK?r234uC4N ɴ7TDV?.H\6FX*60,6He2Z~٤IDw%жuKڅ?RYrY{mDeS !y6f05Noԛ_HB=\eE-͛\ȚhrS[G\xiERV5ȃ)d#W!R~&f:T)s!]+Hdͬ~+Pt2*ʠJg*=C']l~z0V:)h䠾AT(!l5ʇH %<~.Uwj~i0=}L-_ 劲ɫTew 0&D |d#})E6O\t(;zvqs Pgv%)ajyVPh0f$(Ќ#X&_rvBB θB8!р ʥk왙. DGNE ~ X 4&ŏBՁGF * ْad#Fv[LMx "Lƪ3`4rȯr,m…8iZ+ł]^#j]l**?w+^#+!Hêgd_)V+٘ŧ'p,ʰq{|`[2II2=3EaYՓ\A$ܦwhy 0mAJ6M,i)o}f}+JҒsj)~{ĮUʂ.WX&SRFjj0Wŕe'&V@Ghy1RfiMwNFW?' űd)k< ]a JZ}ggZ'A]Fh ڏ-w=> .oM!!ZuGvBg}y9GQ%BXL<ar,sC[ 8Ez1Vw> S?@b@GOlc2|_۬}ۣ+NV*]). yڶ{Fu@N-KQ$^gM|I_B`3δ?`#?j%t\_5ga/u>H*uth\(dt Yw&}ry^qt6fvy%1JPnU-'2SPdd#蜁.GdckDFT҃Hg6ЭB7G?ȑ8yK@@0~4g* 4=yZPl9mI=Ɨ|h[%/]Đ)!i' <@m83 iv?(G S*d&UTc ɟ9/jH`6ܜ pfHY;x@$V1 &% @ 7A{,=o9:"X[0W@W"S Cے ƭo"3IW\qp̋U̎`;&>ds)(w([ɽ,GFg V}uRvYА?md23s!]nn-Sn%\Ίt,ECv9ßcfd9@!*  cՒʫǙpMr:3F} q@- ўi ._Hezi d\ˋ<":-bµbQ}Xi8r9Kol.@5`UQ&i<0KUEu5WP DcJeBŦdNGIj7"8R _9DzURMt^plh\R 4*eȷbe% m`)[g5h .KPvЇ#V6@!~pZtOИSV4g*&F|-ޔ~RZ*a\Zp+ ZKu$*^J#ԙm/PƁvA>SEEt|}"jm<P\xhdb64ԫWLڠA= e3$=>)z*R tP\/.epaX= @+8IO#>MqlYg9lgK&{id2jS˄<*OQpӾR5E1hd4|}ݏV\a14tФ e*Q1D;" 2W3%ݳ#~rqX5vRrfqf(]923̛NVIwq'+/59wEvOP1JZ~m;#*=&$X_v)q#OZj4!\G,af1vZ)Eӂ`螉q@8}n] {ڠϏ ÑD4Gi\9YT!h,Z7kin;DI),;ُZ0{niq Ɓ2̶ B-LޞP~Q,V>u )?ݨ"3m&Ze:rky=۲X!,RyQM]O-`p} 1YMrDD淀n sO[!kj.LQ<3GE[W!BZ~#za)nnNRr\BJ8Cjl'A@8nJYYOWTS')M$TWϬ{6#1ynދ3Ge]eq֙2'PD"2؎xڵ/(z0/DՑLQ+z\Q<2uK"Tzh*n|>ht wH*۰U[. 4 nkO .d=!5}mF&3) Y8]i=EMhGd-#2ZM~Y(@bSxnB,I&AV'k5G)PYd>  8XFlYwmAmQ qZ&xc᮸L9K/d~K[[^T-`t)T9 1,nؑy!-O%Z,( 4y1,Dk;㱯 C9+}'f2(`^Y!ޔQXMt&gbT9-8GbGaYH؆4铤9 _LDO5L3l4M UOba,ʑ3ƏeŲj@+>l$m#QR0IfeY.S"Ki]@KV&L.=r`!/OQ 0d1QFkm@`[f* X^]ȴNhc'Kdvn k:1qϰGfucbV xf~8m+ /ݸ dXP6_'h[c -q}UlJP&w"k̐}8˸*t'2‘BozcNH[dNE.9B̗d4G7Ρ]gnqwxuO!WXje!F-% sTi@sg2(6}ODj^m< ʊ hT7aO8cK-XGTcO K )T[Emo"e`5īVzY0SCPWmŮHY o[EUu#tmt&f[C<^rՂ9v#Q܂foILa(-yki)A!D EӋrEeȿ1fb79x\ 6Xӛ:+_eRu"B ,w1>rn`ڍ RP{lV wf"&gɜ6G:jچF=j0_/ )^Cm Ml~BL^p iL؈˳&Jï=H۪וc5Aı 0 'Њ)xq9aVR_mTP[~O<Œ7A,Mip}y߿8.faԤ֨:nX20([M@#ja*(jZ;,gה[ׇHSyR#qs'>AF8l0CA.A~NV~EX;v6BeZ\wBLJ%kCNbBOEVC#ډV"[BĤmAhW54`bx 8S&OUbP!_5={ask3p(/ ПKRQt@@0 )N(ָM*c[@$٨U%ͻ{TKl[y:RNL^W-W4f02ɭgSA #z65gU]9V7%PG+Z3kK@,Bk3 ya|I[Nԛ V M*1Dt+A?\?Tuc؎el=΋G/#1Bz6p(IRxqhde Pg%),{"fH'OzƷSW wd1uɳv5˚X  Q3Qcjs6HG/3[7 l`cmn8cvXq,Eq^[܈g|9~xK7{5Zw a1ئ%ϒ,=i2 KDtv*쮎i2]0q;gKO3 :z?ۋ=. CөNs?0֧8|,@6k SKY\gxW=x0p;7[RuV@p;=vVsN82`|L]z-K>j,2<-3a(&-羰)M{H_TпGA=%m\-ZS^M bEђ⛐!c9쨥$RM:H!Wl+qjCZ?M}A"yqu% IG%1/v+nHbyW3v$\Tȅ,6ޗgӑZ]MRև_Ӏ+d?W~#8˝FWodqӯmBddXz-zR d_ \b*˖q]tdbzȩ㿋4hU&4z01|zE㮊[fFTsb,p۳r3\C£cU_JnI+(u+Xw)pMC;،mtQ]^r;Il7PH#Bڕ'bI N_"jhQR1ڷ_b} vl t=EDfQA.D XVay3"Nj}03uG/&3tJr4QE\In>cJ7 ى/ ݫy`= tu/bxQ] LFd'P;\1m{C*0=&Oyag֛W9q+=+CT==ZP !ZVPO*m]ЂS?1V6JL &.`3x޴m22V Nex<5ԑY*iE _A+G~rݪ K:`kN~k5+.0x A ߎG:GJlK>}g,~ݒhMjG Yz^4{_Mj'!mPs`ۇqȪ#a.ŁAY CkrȞ=~ [3#[Y[%EywHQr0F.3Ak ~AVLS+j.w/IB]LӠʋjOIc d_ &N:Q9 cVLN/*_k5/޽qʆH׳ ^YSQVsloMoTw-ޤ|@T}-IZ(^G vNHUo,6j |T?g ]t'j!Pb1}THj҉$f9g`k(LKFu ̰&&5Ѽ] s`u35o.7hK$pۖA&şm!£f|R7SMxܦDFP"nEI#:YChHƾ76;@ ū9$ZaYduN i;eofQּT]0/S8|h%N`ONEv n~(!Lէ{CE6 h/WPLAI`5|;/(!T7 9G/d )%]1*U XD e)'YqWG!0+=O+{ ~ <8l ñ7)DUZw] e3;ʇ$=.E$4രA&ikz҆bC6rb%^F-AjCoR}֢i]s9? ;+f}Czrm" +;<L{-Uх5Ûy`&=YQn砻II<%؁cݳRŷS5l'{;U`a:/獝ݮ;{2DeQ\b(~eە:b "۸="nn";B ?-ӨGpFt'_cjcv0%,ʤnpuzZxwj{;1^-wO3=*:hcܦo TN'@;pBO;ȍ 6ܤiRqP`IYg%Ҷ2 t`}iv'J;{]b ?I~o/$m/HC/%y =)ZC͋M-qR+&^d :sȵ$"IյV,#hj(r&teewe;eK3*06ZT-L~3@r˴xgo̽~8L ?X >)R.MK IŽ)ijΤχ-*c&BGXVT3rTaD0*%%i&%o+]DKCR߹]H l0 2[Ww}Bo7C،5`mYs 3hH]O9LarSʥ wm5>VUDr?oI3}{'hE9u&tG5_;S -47@%G$ fgl%X q~T^N$dGbA|#k7 6$ޢZ&/6񴶹"*% p&*3O5 eVGʑ%eEE țoz+C¥tL%90kR^/q/In9mڤ(hYqL} yNN6i˵ N7 M1υSNpF%ěή5鶺+ &D$tf|зPl]p7#]{NYF,Z6:8Ԫl2(ԕ$rU={I=vk. AN;\b| šQAv^^`p0]h@d4ƾwF*<A{ th,۳9ujTֿq0'8@Odr{ҼA+ 7r/ȩ/C>/Y3 =TATQ^,hv$$EMa/VHƃ70$:?,7rN!(t"_O_,a~hCfqP&}sx/hU BmV`9p f*Ip@両rJp6|t푧@0L Ic`nm@FV@7Y~F }*]#^il*Vvdf:)\_ļÛ~kWrѕzcqS.Am=DE xD+[@X5Ѽt~oR޶5T[ΪAc*tX͈1{6Նn[b+t0=4ڏo6 EZWq|=+QR $sB^\O'R(0 jv'E<<)4PQReA@"Jjlʝ PljГ_ Jˬ?'ÑQ&wD"kQ;.-zGβ%` ҡg<e'"-h)J/1?9GW.5iz+Fu$&y QJX݆K&S1(ydP 3e f'Γh+ -?s~lh~K=ё$rNg!i:687b8 I>*=0W]A^ vzs.8N>ícDn1*I`Z\1Aղa~bAf pH,n-\Sרl']uj}MBl,*r33Z Xh3R5 ;P wbZEsq252R#x7LCYRO <C=_d/4@'9[ CYijK8yr^94jJ f`RL? :~nSnV z+{R ',+7c4m9bzڽYx,vTi̓L.2 DD"c9~ݖק89v92CJ !EQ"g77 ֪j >YWMVN se4 ルظ7/9gP F6+GVҺ'nP/E[sfH/߅!K$-d~fx29D{ k$W]+ҽ*I$Ɏ;t{uTQ I/qѷ{`Va[!*V}{a,(%1-SuL$&"]П7 ð ]dӴy?ԛT$9M3 O.ĉ h86 8#:>@-,7Xrq*J FBkg樔D*V3"; "ø Fu  .}DZx1m)8*M@k 5'La X|܍!ƄēK;4 .爆ݯ jĞчBcd;-׸>5 )qH ǎ}hL>q<6iNL&* \ G:a'@/7_RSvb"ҏaVBZ8! 멓yι)9p3}N6 9>qbwi(GPɮѴ?65::,,V>pС-|9]V׿X" r!tzU P=u'2F }FhS|yyȄ_bY_-xc|/9K`LjuؾnG29:ZLk >7NrMV|\9\py&*O~4NB딈ea?xX`*&~#6]65Z\Q6. NB=;t3C.j85v աN%vȗb_[H/Wmi@hZ 8_+Nbye=jSWuS[(@oW̳=-@ O7Ix 9_fԓF؝7J6N?;=zhKMz\!yIOMu{()dI =[)^%ع=u/f9ˆgESwl='HG5~s2g$6[j`=iP{!#m?5)pû-{ʀ*{Z}: ޣ}0<1n6gUVÇBgDj3{Lߝj:^q  J9ul=^fzD F1.?4 8mPcQInKrV BQCb@ Ͳ ^2ʯ;1n멖ܪV 5.3{k GHz8DC`Uv*4UjrR5ŘhaF=؇ٱ&Di)fp|d< K]Y˕X&߆d~4 ΐI?jb5R8"kM}c]& MPx[ȏK?b3RsiS]9ndn3.:xz'504Htݝ~^wF=$#$g V1)(Py%X8-@ ^2WRcRi,!0 .E6%D%SKs٭, `JcW(5 Aaɕieŏ.FPCOi ئyyDL c!Ӗ7kdoy!d#ZTx47j\؝C[^=V̆),\ZɈ7쐅 |BTr"$HfG! H9z6--rs=5}l>oȟ #J+C^ U9f!OQVi`.Fٯ_2(Cs׾E68E-4RX4Abi/B=5mZfpjP{sb7B\j.}K?3حhEpmF׶6R}dx[bC^ H8\y)=12d9fA&5RDGR#HG%8v9(Lbg5;v9g:!V fW]qDgK Ѩ9-!h&ޏXWGV\ l\- m~iK[d5F x:9N5 DȻ5.e)ౖ/] $Wyp/ =,jjlYE:,CEŤ9`hyb05*b`@>7yTp8?Lȼd@i|tn^u7j-`Zԑ)b3y'LI,2dn#~cTūr \>r~E y/c Mް(\7ܿnM Y[C`.̗H*U(w?oq撀Y޸ SQXY~US!J 2S~..LFr'&:'*ՙ_&x8߉D߃~m]SJg%SһLyFDz. }2)7&4v!Lb\5EGH%F |w\ /ptoT̚j$aEI ,CزcUz>2H>؍߶e n+ 6, Ue]·CEDרhajeAdF9^L2&I71(|l [g2%:eȑ22"[<4d|{/U6C^D / s%FAs'FaO8h]Ȣ$ l.!c_W*ib W-3a_֓7EHlL'9TMihb{xD2B`Aj2*q)$rx|6S/Pvǃq`$y4qFⷱ/*lҳ3!B9%S'>Z4d>c3KVyv yl;텒ŮQG; =u8 +>yKػ͜On|huűTBm/3쀦dAeN<צQA/??\ib |HZvsձ`m?Q xR}SO ESə^=x%RAP%i&EQ eH 8aW 7,P7>VEcqǒs}< |IdR_+lXc 3g+ #beHu fU{oT ׁvHjJbj(w|dI@/O/dc>SIR`~%X4ۓC]5mtBm.H:w:Ck6U.,FzOfm_`Y^N@߽mF! |ryUQ~W`FǴ'9bƦw;`LcTXGs6=w{JfR) gGf7X-#nC?<!\K-2Tt:ޗzi?3!ySH Y.^G[J!x=+u8'C9LbFWaDԦ`8{ة+WR{8Qڇ89ar uN"yCO*(0^2Q8'pW2wam,?0ck OU ̯Pn^70o%slZxOzWY_n4B⦈(9Cv3I | }m:%X$2eDe[4P>zr^TgtOK)z7l Ba0TRY.Q&GǣYܶ{2ׯ 3(2<$\B!kx܀3C5[\fYfIe qFCuGrPxRDxp$ag': ǖXX\o;֞g {B\rkEIa9h$@=wľx;3LPl Ɗm?9@I `':̜lٲŞ&RFx],JĀ 3|ADܝ At|OH l ]@N!gK^V>dޮb~t[&Ի!E[QA \yK[Rl_^/$K-ê&y1D<4tucXدJ{z9nFy%#!בG6LT5tPdIMakcfC%2[s#>$7NIxp "Xjwʹӭp:Sg߳Ch3icba&î;ʉkee!kw{nyIV{TGVdGz+d̊Mz$p8+^NGię10'e}nzcD{)omGZF54٩F|]'ڀJSg(` W9 4:LWoRC'<@Ӌ[Z?0H-`tQ(۶\}7Y:3!?P6`(b7 n /o`]CLΒ@3;m7:U,<:(L Y/Y#`yh¯ r'ߒG ]d{95`tMcd) K[[r51^qba-2>l>W!6:I]IwnÏd'=ؾ9#soǕ^Јap6( "/gchiYPLBîJ/n'B q|\ K8?`_i4Nc؄^dAW#EURrmYUvpHR{~H߽DOz}E Nc:!"]au.22qNK Ebt] Mگ2Hs}CQq)R9F=I K48al4DnHuY@Qm=lA'?M1A e"X7z3dHn,qH51˄+X{W!AP}Bj Hu3 ]N(2&қ׉R+e!/5!)*'G\{-c%3:cSkuC/FD#kE>-\qFPR=x ~ѝvδ;i5 ֌Qx!5{1'j5js)(;Ћ½AP~Оqx! egdY5jOsKUfg<\'`9 :)2l3Sa.lzaN6.5:Y>cC,#soA'nZƜf55`ڪ^y(DkEg/.Z %>V~GEyKH7VAOA>3R^:|t{zksg:}bL@^ֲEHTJzІrWqއrƊ@>鐠v{+Qw%C6iY:&-k *V7/:.Sb$Jϡ!Fݾm}*٨yݐ@l\߳U1TêAe~%WU-[aߌW-Me@$Y7+'<+Щ V;9`}bp/K:xNXQ72d>fDT~20zki>C]ΪHi AQrX-gۖz U /0c{4eŕ;tLjJ4=YdQ`WƢFhwoVp G^척tj{U> Ѭsy-{[jf q/_?O9[aּ߯Es=LY9ec*˃ܾaX1[Q.>{PELY`v̴Lc6O`qWLJ{ϡM\N KƏxK۶ Lİz^q@|ٞewTy|ԠDb4-?!U }5ݼK֯w򥯧g eWMͿ8Sp5s rgib9hfvsd}->$M3P4fz0_ 둡jB{{u<.!7Hi_4&Eq+F+ѠC3}CvC"P<{VM(J`~{ U.Je30͂0n|ӷW,urGl|1?FݶQw0R|ZN0<|[Y_qU*~1vVJGa3n񁂴.YKO\);?u?ϪFS+eK&hny A@oJv]ΧjEP!&H }m'UUN6mkMФ<18<MŻ6^ ,%RItkd*g3zGsݼdvħ!;7Bكߣĕ2<<sO?N%3*XaJ`S^!r}W0s7_ۻ߾x"um7Vv888E 6,Dbԛj!tV@ ռm礠27^M)SE6GQ`!Љwֶs=369{T~ zVX!?[9ihֻ۟ܞFB߹% ]<дo)ZoeA?,2ih-l"{|0<ZܠO9`]C߳Z*3H OHG*Rlf+Fְ߯ZK{VQ9 %^0}=%@EBِbe͢~V_3'w= C ٶ7v%Bf f&[e+8w'=p`-kI q;.&eo zjm-)VZ&gwFߥ?(2/_ɘk xkX6fue"qiԊ ./ k|"kb|HCQBPLtm?DvU%jxȯb ]7MW5AgY ]BܶN#ݝÛy?Y,#"%1<ٵ+w ~B,9ߜB!%fK{ } to~Y >U*!וlsT7[A͉vjD% D՞f|O|<NDgS+[4D"v<=egbKތqaI̭ɵe$Fb&B-: *瑸gHJA"֖F0rꙤ*u]`h顱_/=C^).F7R#e~cӓu8兤Ԅ"3cA<дUEȑH71ͬBS%W.dI%* ~a>HBGu5D}*mWlrv9@j\D8}"0-oZBKFxOp"& 4KHu1N(8@.mTݼ=*~a>:zQwEZ3"N],CU ~Ci ?m.H'9~ng/AR.Kj^MX~^\雓Gb4'J5RAg^6l-2F]POgFRR JO+%}]^S tЋק]6U"C boX]zv;TK!o #>"*p=hyoi+ZżzYwhcx9*lUE0nP-p89V؄ Irky<#VyZS ,juS\*ؾH7/˔1 UMχ$;Ķ YZ