From 9cc375fad5c6cad87fb88695c8f34904a462edf7 Mon Sep 17 00:00:00 2001
From: xumia <xumia@microsoft.com>
Date: Mon, 12 Oct 2020 12:38:33 +0000
Subject: [PATCH 1/7] Add SONiC Reproduceable Build design doc

---
 .../SONiC-Reproduceable-Build.md              | 457 ++++++++++++++++++
 .../images/azure-debian-mirror.png            | Bin 0 -> 19428 bytes
 .../pypi-version-upgrade-automation.png       | Bin 0 -> 38968 bytes
 .../images/upload-package-automation.png      | Bin 0 -> 13209 bytes
 4 files changed, 457 insertions(+)
 create mode 100644 doc/sonic-build-system/SONiC-Reproduceable-Build.md
 create mode 100644 doc/sonic-build-system/images/azure-debian-mirror.png
 create mode 100644 doc/sonic-build-system/images/pypi-version-upgrade-automation.png
 create mode 100644 doc/sonic-build-system/images/upload-package-automation.png

diff --git a/doc/sonic-build-system/SONiC-Reproduceable-Build.md b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
new file mode 100644
index 0000000000..f7b5d8cf35
--- /dev/null
+++ b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
@@ -0,0 +1,457 @@
+
+
+# SONiC Reproduceable Build
+
+
+
+# Table of Contents
+
+- [Revision History](#revision-history)
+- [Overview](#overview)
+- [Pypi packages](#pypi-packages)
+  * [Pypi Version Configuration](#pypi-version-configuration)
+  * [Pypi Version Control and Check](#pypi-version-control-and-check)
+  * [Pypi Version Upgrade Automation](#pypi-version-upgrade-automation)
+  * [Work Items](#work-items)
+- [Debian Packages](#debian-packages)
+  * [Debian Version Configuration](#debian-version-configuration)
+  * [Debian Packages Version Control and Check](#debian-packages-version-control-and-check)
+  * [Work Items](#work-items-1)
+- [Debootstrap](#debootstrap)
+- [Packages downloaded by wget/curl](#packages-downloaded-by-wget-curl)
+  * [Web Package Version Configuration](#web-package-version-configuration)
+  * [File Storage](#file-storage)
+  * [The process to use a new web package](#the-process-to-use-a-new-web-package)
+  * [Work Items](#work-items-2)
+- [Debian Package Mirror](#debian-package-mirror)
+  * [Debian Package Mirror managed by Aptly](#debian-package-mirror-managed-by-aptly)
+- [Pypi Package Mirror](#pypi-package-mirror)
+- [Docker Base Images](#docker-base-images)
+- [Git Repository](#git-repository)
+
+# Revision History
+|Date|Description|
+| :------- | :------- |
+| 2020/08/21 | Xuhui Miao, initial version |
+| 2020/09/21 | Xuhui, added Debian/pypi repo part |
+| 2020/09/22 | Qi Luo, review |
+| 2020/10/10 | Xuhui, debootstrap supports reproduceable build |
+
+
+
+# Overview
+
+There are many SONiC failure builds caused by the external dependencies changed. It can be built in the first time and might be failed in the next build, although there are no code changes. SONiC reproducible build is to make the build stable and reduce the failure rate, build on the same git commit, expect the same result.
+
+The external dependencies contain pypi packages installed by pip/pip3, Debian packages installed by apt-get, wget/curl, debootstrap, docker base images, source code by git.
+
+Some of the dependent packages can be controlled by its version for the reproduceable build, such as pypi packages, Debian package. There is an assumption that the content of the packages should be the same for the packages with the same version. The other packages do not have a specified version, when the remote package changed, it cannot be detected by its URL, such as wget/curl. The file storage will be introduced to solve the package without version issue.
+
+When the reproduceable build is used, to catch up with the latest version of the dependent packages, sending pull request to update the versions is required, the automation Jenkins pipeline will be created to do it.
+
+In Scopes:
+
+1. Pypi packages installed by pip
+2. Debian packages installed by apt-get
+3. Host image created by debootstrap
+4. Web packages downloaded by wget/curl
+5. Debian package mirror
+6. Pypi package mirror
+7. Docker base images
+8. Source code by git, full commit id
+9. Arch: amd64, arm64, armhf
+
+Next scopes:
+
+1. Support on the old branches like 201911
+
+
+
+# Pypi packages
+
+## Pypi Version Configuration
+
+The default version configuration files in &quot;files/build/versions/&quot; for Pypi packages.
+
+| File Name | Description |
+| --- | --- |
+| versions-py2 | The default versions for python2 |
+| versions-py3 | The default versions for python3 |
+
+The content of the version file versions-py2 example:
+
+Py==1.7.0
+
+pyang==2.1.1
+
+pyangbind==0.6.0
+
+pyasn1==0.4.2
+
+The versions can be overridden by the version configuration file with the same file name in the Dockerfile folder, for example, the content of the version file dockers/docker-base-buster/versions-py2:
+
+**pyang==2.3.2**
+
+When building the docker-base-buster, the expected version constraints are as below:
+
+Py==1.7.0
+
+**pyang==2.3.2**
+
+pyangbind==0.6.0
+
+pyasn1==0.4.2
+
+The version auto/manual upgrade configure example is as below, the automation pipeline will not upgrade the version of the Pypi package pyasn1, because the upgrade=manual is set in the configure file, the default value is upgrade=auto for the other packages.
+
+Py==1.7.0
+
+pyang==2.3.2
+
+pyangbind==0.6.0
+
+pyasn1==0.4.2,upgrade=manual
+
+To generate the initial version configuration file, we can manually start the docker containers and print versions by command &quot;pip freeze&quot;.
+
+## Pypi Version Control and Check
+
+In the Makefile or Dockerfile, if the version is specified for a Pypi package, it should be the same as the version in the constraints file. The build will be failed with version conflict.
+
+| Version in config file | Version in Makefile/Dockerfile | Check Result |
+| --- | --- | --- |
+| Yes | No | Success |
+| No | Yes | Success |
+| No | No | Failed for version not specified |
+| Yes | Yes | Failed if different version |
+
+The Pypi version conguration file will be used as a pip constraints file, some of the flags no used, like upgrade=manual, will be removed when used by pip command. see [pip constraints-files user guide](https://pip.pypa.io/en/stable/user_guide/#constraints-files). It will control the installing packages and the referenced packages.
+
+The pip/pip3 command in Makefile and Dockerfile will be hooked with a new one, if version conflict, the build will break. It only installs the version of the package specified in the configuration file by adding the constraints option.
+
+## Pypi Version Upgrade Automation
+
+Developers can change the Pypi package version manually, and the Jenkins job will be provided to upgrade the Pypi package version automatically. It will upgrade all the Pypi packages listed in the Pypi version files, except the packages with a flag &quot;upgrade=manual&quot; in the configuration file.
+
+The data flow diagram of version upgrade is as below:
+
+![](images/pypi-version-upgrade-automation.png)
+
+## Work Items
+
+1. Generate the initial version files for pip/pip3.
+2. Add the new pip/pip3 command, verify the version and use the version constraints.
+3. Enable the new commands in Dockerfile files and Makefile files.
+4. Implement the Pypi version upgrade automation Jenkins pipeline.
+
+# Debian Packages
+
+## Debian Version Configuration
+
+The default version source files in files/build/versions/ for Debian packages.
+
+| File Name | Description |
+| --- | --- |
+| versions-deb-jessie | The versions for jessie |
+| versions-deb-stretch | The versions for stretch |
+| versions-deb-buster | The versions for buster |
+
+Similar to Pypi packages, the package version can be overridden per docker image. The different part is that the versions of the debian packages are relative to the debian release, in each release, such as the stretch and buster, the package versions are not the same, so we define a version configuration file for each debian release. For a specified docker image, such as docker-base-buster, etc, we can use dockers/docker-base-buster/versions-deb to override the version configuration file.
+
+## Debian Packages Version Control and Check
+
+Like Pypi Version control and check, if the build version is conflict with the version configuration, the build will be failed. The apt-get will be replaced with a bash script to check the version conflict.
+
+The version control is based on the [APT Preferences](https://manpages.debian.org/buster/apt/apt_preferences.5.en.html). The high priority of the APT preference can force to install a specified version of a package, even downgrade the package (priority >= 1000).
+
+Example setting for sudo:
+
+_Package: tzdata_
+
+_Pin: version 2019c-0+deb10u1_
+
+_Pin-Priority: 990_
+
+When installing the package tzdata, if the docker base has installed 2020a-0+deb10u1, it will skip to install the lower version 1.8.21p2-3ubuntu1 of the package. If the version is not installed, then prefer to install 2019c-0+deb10u1.
+
+The version configuration file not only controls the packages installing directly by &quot;apt-get install&quot; command, but also controls the dependent packages.
+
+When installing the package ntp, the package is depending on the package tzdata, if the tzdata not install the version 2019c-0+deb10u1 will be installed, even there is a new version 2020a-c+deb10u1.
+
+Sample script to verify it:
+
+_# apt-cache madison tzdata_
+
+_tzdata | 2020a-0+deb10u1 | http://deb.debian.org/debian buster/main amd64 Packages_
+
+_tzdata | 2019c-0+deb10u1 | http://deb.debian.org/debian buster-updates/main amd64 Packages_
+
+_# apt-get remove tzdata_
+
+_# apt-get install ntp_
+
+_# dpkg -l tzdata | grep tzdata_
+
+_ii tzdata 2019c-0+deb10u1 all time zone and daylight-saving time data_
+
+If you change the Pin-Priority to 100, then the latest version will be installed.
+
+## Work Items
+
+1. Generate the initial version files for Debian packages.
+
+2. Add the new apt-get command, verify the version and set the version preferences.
+
+3. Enable the new commands in Dockerfile files and Makefile files.
+
+4. Implement the Debian packages version upgrade automation Jenkins pipeline.
+
+   
+
+# Debootstrap
+
+Currently, it will call debootstrap command in each build to create a new debian base host image, the image will automatically use the latest debian packages. It is not a reproduceable build.
+
+debootstrap --variant=minbase --arch amd64 buster rootfs
+
+There are 4 steps in the debootstrap command normally, finding debian packages, downloading the packages, the first stage, and the second stage. The debootstrap supports to only run the first two steps to generate a tarball in tgz format, and supports to use the tarball to generate the file system without downloading the packages again.
+
+debootstrap --variant=minbase --arch amd64 --unpack-tarball=tarball.tgz buster rootfs
+
+The --unpack-tarball will only do the last two steps, without finding/downloading the debian packages in buster, See [debootstrap git commit](https://salsa.debian.org/installer-team/debootstrap/-/commit/25d80b10319ed292827d016bfea6edcdb51b9b52)
+
+The tarball can be generated by the following command:
+
+debootstrap --variant=minbase --arch amd64 --make-tarball=tarball.tgz buster rootfs
+
+We can generate the tarball and replace the all packages with the right versions, or generate the tarball ourselves to support the reproduceable build.
+
+The tarball format is as below:
+
+| File                    | Description                                          |
+| :---------------------- | :--------------------------------------------------- |
+| /debootstrap/base       | The base debian packages                             |
+| /debootstrap/required   | The required debian packages                         |
+| /debootstrap/debpaths   | The debian package name to package real path mapping |
+| /var/cache/apt/archives | Contains the debian packages in the folder           |
+
+The steps to do the reproduceable build for root filesystem.
+
+1. Build the normal root filesystem
+
+   debootstrap --variant=minbase --arch amd64 buster rootfs
+
+2. Freeze the versions, the version configuration format, see [here](#Pypi-Version-Configuration)
+
+3. Download the debian packages based on the frozen versions, and make the debootstrap tarball
+
+4. build the root filesystem using the tarball with frozen debian package versions.
+
+
+
+# Packages downloaded by wget/curl
+
+The web site may be not stable, and the web packages may be replaced to another one unexpectedly, so we do not want to depend on the web packages at a remote web site. Although there is no version for a package downloaded by wget/curl, the hash value of the package file can be used as the version value. Like Pypi packages and the Debian packages, there is a configuration file for wget/curl. For the package with the same URL, it is expected the same binary will be retrieved when using wget/curl.
+
+Requirements:
+
+1. Use the same web package, even the remote web package changed.
+2. Improve reliability, the build does not be impacted when the remote web site is not available.
+3. Keep update, automatically send a version change Pull Request to use the latest web package. [Low Priority]
+
+## Web Package Version Configuration
+
+The version file in files/build/versions/ for web packages.
+
+| File Name | Description |
+| --- | --- |
+| versions-web | The versions for packages downloaded from web |
+
+Like pip or debian package version configuration, the version format for web package is as below:
+
+<Package URL> **==** <hash value>;
+
+An example as below:
+
+https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz== ebef065e4d35572af5b03e2be957a9c6c5063b38
+
+If any new remote web package is used, it should be added in the version configuration file, or the build will be failed, so as to the existing web packages.
+
+## File Storage
+
+Before a web package is used in the SONiC repository, the package should be uploaded to a trusted file storage. The SONiC build only depends on the trusted file storage, not depend on the remote web site.
+
+The file name format in the file storage is as below:
+
+<package name>-<sha1sum>
+
+For an example: go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38
+
+For the same web package, it supports to have multiple versions of the file in the file storage, for example, go1.14.2.linux-amd64.tar.gz-b73d6366c0bce441d20138c150e2ddcdf406e654 (fake hash value), but for the same commit, the same version is used.
+
+There are multiple solutions for the file storage, such as FTP server, NFS server, Http Server, we do not focus on how to implement the file storage. In this document, we use Azure Storage Blob Container as the file storage. When you wget the web package [https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz](https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz), it will actually download package from the URL like [https://sonicstorage.blob.core.windows.net/public/go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38](https://sonicstorage.blob.core.windows.net/public/go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38) during the build, in this case, the storage account URL is [https://sonicstorage.blob.core.windows.net](https://sonicstorage.blob.core.windows.net/), and the container name is public. Some of the packages are already in the same storage account, it is not necessary to add to the version in the configuration file.
+
+## The process to use a new web package
+
+Option A: Manually upload package (only for file storage admin)
+
+1. Manually upload the web package to the file storage.
+2. Change the web package version configuration file to register the package, and use the wget/curl to download the package in your build script.
+
+Option B: Automatically upload package (for all)
+
+![](images/upload-package-automation.png)
+
+1. Change the web package version configuration file to register the package.
+
+Developer sends a Pull Request to register the web package, the web package URL and the package hash value (sha1sum) should be provided. The PR should be only one-line change in files/build/versions/versions-web, see [Web Package Version Configuration](#_Web_Package_Version).
+
+1. Upload the web package to the file storage.
+
+When the Pull Request is complete, and the commit is merged to the master branch, a background task is triggered to download the package, check the hash value, and upload to the file storage.
+
+1. Use the web package in your build script.
+
+Expect the step 2 is complete automatically. When the step 2 is complete, the web package is ready to use.
+
+## Work Items
+
+1. Generate the initial version files for web packages.
+2. Add the new wget/curl command, verify the hash value.
+3. Enable the new commands in Dockerfile files and Makefile files.
+4. Implement the web packages uploading to file storage automation Jenkins pipeline.
+
+# Debian Package Mirror
+
+Debian official mirror only supports a single version of each binary package in any given release by design. For reproduceable build, it is required to manage previous versions of Debian packages. The designed Debian package mirror is to guarantee that all the versions of Debian packages used by sonic-imagebuild exist in the mirror.
+
+The current design of the Debian package mirror is managed by [Aptly](https://www.aptly.info/). The [Azure Storage Static Website](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website) is used to publish the mirror. The [Azure Content Delivery Network (CDN)](https://docs.microsoft.com/en-us/azure/cdn/cdn-overview) integrated with Azure Storage Account is enabled to cache content from Azure Storage. To improve availability and performance, [Azure Traffic Manager](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview) that supports failover across multiple Azure CDN endpoints, is exposed to users.
+
+![](images/azure-debian-mirror.png)
+
+
+
+## Debian Package Mirror managed by Aptly
+
+Steps to publish a Debian package mirror by Aptly:
+
+1. Create a mirror pool and update the pool, example commands as below:
+
+   _aptly mirror create debian-buster-main http://deb.debian.org/debian buster main_
+
+   _aptly mirror update debian-buster-main_
+
+2. Create a repository and import the packages from mirror pool, example commands as below:
+
+   _aptly repo create repo-debian-buster-main_
+
+   _aptly repo import debian-buster-main repo-debian-buster-main_
+
+3. Publish a repository
+
+   _aptly publish repo -distribution=buster repo-debian-buster_
+
+Steps to update a Debian package mirror by Aptly:
+
+1. Update the mirror pool
+
+   _aptly mirror update debian-buster-main_
+
+2. Import the repository
+
+   _aptly repo import debian-buster-main repo-debian-buster-main_
+
+3. Update the publish
+
+   _aptly publish update buster_
+
+To Publish the mirror to Azure Storage, [Azure Blob Fuse](https://github.com/Azure/azure-storage-fuse) supports to mount the Azure Blob Container to the filesystem, it makes easy to publish the Debian package mirror. The Azure Storage Account, storage container name and the Storage Account Assess Key or Storage SAS Token should be provided. The publish settings of aptly are as below:
+
+_&quot;FileSystemPublishEndpoints&quot;: {_
+
+_&quot;web&quot;: {_
+
+_&quot;rootDir&quot;: &quot; __/data/aptly/debian/web__&quot;,_
+
+_&quot;linkMethod&quot;: &quot;copy&quot;,_
+
+_&quot;verifyMethod&quot;:&quot;md5&quot;_
+
+_},_
+
+…
+
+_}_
+
+The rootDir above can be a blob fuse mount point. It will publish to Azure Storage directly.
+
+It is not guaranteed that all the Debian packages are in the mirror, if the size of the mirror glows too fast, we will remove some of the old versions of the packages which are not used by SONiC.
+
+# Pypi Package Mirror
+
+The Pypi official mirror supports multiple versions of each binary package. It is not required to have an additional mirror for the reproduceable build. Not like Debian package mirror, the designed Pypi mirror only publishes the packages used by SONiC image build, the other packages will not be published. Because the size of the full Pypi package mirror is up to 6 trillion bytes now, it is really hard to manage.
+
+The design of the Pypi package mirror is only for monitoring and alerting. When a specified version of the package is used in SONiC, we can expect the package should never be changed. If it was changed (the same package name and version, but different binary), we will be notified.
+
+If a package used by SONiC is removed from the Pypi official mirror accidently, the SONiC build will be failed. One of the solution is to add the extra URLs for pip command, see [here](https://pip.pypa.io/en/stable/reference/pip_install/#install-extra-index-url). But the risk should be very low, we keep to update the version to the latest one by design. It should not be the high priority task to do it.
+
+To publish only the packages used by SONiC, the used packages and versions should be collected by SONiC build. The input file should be like this as below:
+
+_Automat==0.6.0_
+
+_Babel==2.3.4_
+
+_Babel==2.6.0_
+
+_Flask==1.1.2_
+
+_Jinja2==2.10_
+
+_Jinja2==2.11.2_
+
+_Jinja2==2.7.3_
+
+For one package, it may contain several versions to publish. The input file schema is the same as the Pypi version control file.
+
+The [python-pypi-mirror](https://pypi.org/project/python-pypi-mirror/) is used to publish the Pypi mirror to [Azure Storage Static Website](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website), likes Debian package mirror, it supports CDN and traffic manager.
+
+# Docker Base Images
+
+In the original design, the base images of the SONiC Dockerfile are based on image tag, for instance, in the Dockerfile sonic-slave-buster/Dockerfile, the base image is debian:buster, we can find &quot;From debian:buster&quot; in the file. When a new debian buster image is pushed in the docker registry, the debian:buster will refer to the new one, it is not reproduceable. To make it support reproduceable, we can change to refer to the digest hash value of the image. The docker base images that are based on the image tag will be changed to base on the image digest to support reproduceable build. The Dockerfile as below is based on the image tag:
+
+_From <image>:<tag>_
+
+Example:
+
+_From debian:buster_
+
+Change to:
+
+_From <image>:<digest>_
+
+Example:
+
+_From debian@sha256:439a6bae1ef351ba9308fc9a5e69ff7754c14516f6be8ca26975fb564cb7fb76_
+
+The docker file will be changed to use the right digest during the build based on a version control file in file/build/versions/versions-docker-base, the content of the file is as below:
+
+debian:buster==_sha256:439a6bae1ef351ba9308fc9a5e69ff7754c14516f6be8ca26975fb564cb7fb76_
+
+debian:stretch==_sha256:335ecf9e8d9b2206c2e9e7f8b09547faa9f868e694f7c5be14c38be15ea8a7cf_
+
+debian:jessie==_sha256:8fc7649643ca1acd3940706613ea7b170762cfce6e7955a6afb387aa40e9f9ea_
+
+# Git Repository
+
+The SONiC build will download source code from remote repository during the build. For instance, when building sflow, it will download source code by command: git clone [https://github.com/sflow/sflowtool](https://github.com/sflow/sflowtool). It will download the latest source code, not reproduceable.
+
+A version control file is introduced to control which commit of the git repository will be download when building SONiC image. The schema of the version control file is same as wget/curl. The content of the control file likes as below:
+
+[https://github.com/sflow/sflowtool==1e42bc69fab8a8bc58b04a0ff9ad2c366eef6121](https://github.com/sflow/sflowtool==1e42bc69fab8a8bc58b04a0ff9ad2c366eef6121)
+
+It will run &quot;git reset <commit id> --hard&quot; after the &quot;git clone&quot; command.
+
+We do not manage the git repositories, if a git commit used by SONiC is removed, then the build will be broken.
+
+
+
diff --git a/doc/sonic-build-system/images/azure-debian-mirror.png b/doc/sonic-build-system/images/azure-debian-mirror.png
new file mode 100644
index 0000000000000000000000000000000000000000..76f7145b945b6c3c3387819bc5ecc16a706161f0
GIT binary patch
literal 19428
zcmeHvdt8$F)-O%tZja55>7tc+neJtoI;E+Jj#-+bncAd@ifNM~sTpbs0@ducrKx#I
z%^RhnnHRDIuSkv|W8M-kl-KfxNJI*VfXI2!YMlMP@A<sv{hWQy+3(qZh+H0?XZ_Y%
zzqP*KwbsM!QzvczqN<?^0)hTwcjA}}2=tW$@aO;MKLPLj4F1*___qS(VtW)+)~?9`
zUVQCu<!A*0l_#v8Kc@n`{^rt&vnUW~U6}H3#n1(vs~`|G((ahm>8swn!E#EsiTa0W
z*@Nd>rd7{ttxaCHE@|yrhxLaV4y`CrIfwcn4Q$UTE>47|{*0w~Duz8gPQQ6t`M&h&
zY!Rw}tuS8!0=+$;x(fulruq+jELek|pI#Mblh+wwy`}y7jUsD=Z&$z}jX27c#_2uj
zW+}Uj7C*!s)=aojv@&@!$Uqg@T7AkO+~<dtAe(b>rW;iY);L@MJ>OGe$UfT8eZBcx
z(59P46Q01A4eqZ1<vnT2TCL)`YS%%K&xYP~)I*=C=jZ<fy7Q|B>c9pEt@KvVHD`Cf
z_M88hlcx{XUg76>*GEZ&3v$^A2E_Ox@txVJo?_Sv*Fb^=7X5+T#z@d1c-LK>7Is)F
z%;i!M7eCa(WswLL_=PCUpgm(~3!6oPhp-B9poNW}Rp3`KOv5WGk58}VV>tag$aiUJ
zIXCP^v4V*<U#om<pe}Q^O8af#mj#~0L=~raxEhFFT@{tyQ!UVk*PDmP6GDdT2Ps_i
zp7d)!d{)ulx?CFa;YjS<$9MSpHp%oTgBOw*meto^84}We>}H~>nh|dwbz}CCgd+DT
zSKYt5Oy&9YSSm921i7}XF2MMy$JriFZz`16OoZWiSM9`wdQIOQ&!LQude^X?|M`op
zcI&+*-mvTcDJ)8{AgAFmJ9O2BSB~m_-96&wV|6^*V}q&$)9hzsI4xjz^keAm>ljo0
zJE-w~$M{A=bv}>d&NBAaw{Mnp8CG}-;COlXkztxb&hN)`UhRg94ddOeZ|J6lk*=@(
zT>~B^X{x)_elUs*T}QY6Z5XQUN`IN*o}^v;>vnH$NN(<L&5V>5F`HF0KDQ})jNcV%
zzv0%_1n`{~pB?7X%Z=hE6%d6eMK!wO>T4GRJ-V))?D2`15VSC4Ue^f_rl%>35dyKG
z+F;icEu;l|Ul?+xBO5AarPsZ`th|s&M<Z%g*Q<eb)w^d#w&~xU5hoEa+`|r1(Y+z|
z@ar+Z$8n}QPTc9xIJ1PN#2lzEOjCz()7-*f-DmSRA`s=?ePwhw{g+2Roumfz>Vmmn
z*mJUM6TBU+M5>FE9=7Tu#1|P)%xA&kS=_4xSF1v9*YJsZ`v;LeU;l1vrZ2U^i#E#~
zA<1<$g~;;7b=_877o?B1PJWpX2fxk%7yL3?s1(W4pF52vVLQ8RNA2mAJ_s6d?)iz|
zm*rl8g7#b2(0UJ78Wp5SFTSA&%_=lWzV<2vN)d+~lb1A^tWBu@la1f!z3X#;LwbLV
z^wY5w{$G^*+*8OsEY~=I>nXUgR{@57<=^mG|If2#;N)e8{zEtLfA!?~$@i5pt-|>)
zj69#IQyJYrNVCb~4PG(_!WGfZ5%}y--;naduRx$j5B}kgQy&>R_*VypZ1&Ofy^7<`
z#MsrIX*31G=pM(5edN9XVtNIaoM=BCz(Sg6tGGrp^9w#5=Dnq8LqY`gZ==r2m<vxn
zNNRWgczL{6Z53{8b}7n|n(w>$@4s4onH#gx@-k*AuCm5jiw~;Tc~*zhuj^Dp7Q^%e
z^72H_=GES112rSh69#e?1GB)$R4{c%Mc*yhEA*{xaK~aOmSki_hBw_v+gDj;@^O3R
zQe=;EY_Bu(YiPL#bJLtl>|cuI^}GDNv&-L(zbxIiX8t$cQfl~@nEyAlc_E`!nat3#
zSzcF5ntljRE)zQq*JCkgAfMqYi;5DY6Wva-%TvXpI3V2D5#IwxIgz}nx;e6oN_$U*
zk7-JQ)Tel1ab(#78uurkT^*O9ept^wP}gUuE>a*Ip~v>$Q0w<Q_j04Lo{PuFnVYBh
z;qjQ*Y+p{)TJHPBlZ6U3?fn$<5`nrHNW&eNj^<^KW6*eh0r)7$kh#q@_xOJJa~vR}
zWxr^lF&eBum62n!Q+%@%mCg>!KDTC^qB%OT%)`>p{ZQ;)E#}4&x7jcz3+KL*ht&&r
z%TjM5_x8Rq0o<9~bARI0+}!jiumABu)Uw^uYH%NU{3UZCYHcje5;tE(T@Z9whV;YK
zYx~^We+BkYNoo6`=o>LRv9Rz9%l1k1=3RoJ*zA1E!OHy+<npYWOQIpx+*Tz%!`JTk
z<Dt)RJD-YJd#5XHlf+#&h{s7kmlx~R`M(3UWbYaO3~T2A4(#!>zmuzrFb1`c&0g?v
zW90V>a8meDM5g+2)dF5tImN6+lc~^k0#dYMp>BL&`L2HEa6z6zDo~t__)W3<-Mb;h
z4s-YhQFN_Y&JDy7{}OH6j;(Yip23AHq%1+IKzUL2pLJ`xXg?KGX&L+25jFr016&9F
zC?K>emsmiUBF}NI=h1a3$i#hWMnw97`s1f+ZC7W<C)_L#D?1npgpguZCu&dJ+91b=
zxD852iGL7j)ezP;(0=PiQR5xJTO8_tdqKg(c2KcK97$gGeWkWAd&e(12J?Bvb{z!D
zAB<vf|6d{OUy=4d%v+rE1zyh<bLR47xW_T@Kb<)NGIjct!9V&jd~P(sGGJp!-aTJt
zS<h0cf2X;~qKtVSK@~0zeWJb-#H$rtBPE-%M!0l+I*b%|I>xrvdy#VeYcu={cKlC3
zoL;izQ`SaHKfY@eq@tAMu<HxYooLJKze?KnL0;%Y$f+D)C9%Bq%G0eGb3k72QnE)D
zaTeghY>1dVMv4A{*#hpjdYq`ZRR^Tu$d>AWD34n}rjZK)2HgKuBJ-$RB4D$x2wvru
zA|t0q=t7mQ_ox#WvTSSOmE5(A%kCglYEF6}Jude*enF-s*{vSt!eq`cUV)W~0bU(7
zgwi&w-`Pi_yfsO7uYfhtj7b>xEnHRLT-mmJ<KQY)s*f<e6O^<sa=9P5FIrE=>8fF~
z;Zn|N89Dt}tc8S>B=nGtp3|b`?!^i|0_*QL7Lnu{Rt$ZS^S6561tKmw-`Rx1%`;yM
zi?@j4Mo)JKz;p)*#`NIovIq4CH#%%*-`zhRNHX046-?eT-2t0Od=YAdMD@2U7askZ
zyLF#bEm8ZGG|;keRdt4xLDK6!41dog1e4)>AQ$6g>f0U>+Vg@!PwJUND_#ezJ!L6x
zv$1C|OtzIxW^}_@>u8Tp`0bB#jLr0&^fWXkKe*}bC|i(nN&S%vaz1`|sM6c*H~uID
zDX57imxpENP25en+=C|Z+qQO^`tDyV1Eecur814mIJL%=RL{>4y)mP?<oGc#67uml
zIDiV59$5pqHJZ8Nw#u%t*z8%x(G2ESceM*G$b=XpV|s_5JtDI`t*IT5M9;0J;LsT<
zt|i<KF%Rt>3)e^b#^qS&T11x3=2$0%So*GM?v2bx!n&M#$0ERA;QzU{^Svw2fG<Oy
z<Z-CluTAAIN}|ivv+r6?B3E1AGC{PG!RTy#J}f3V1a`z&4a6Zq!yM3_QAfV7**%pP
z^34uuA)~DNfJiTnc;3-l{B&3Er0EW#Y<(y*9fCSBV<M47U6d@mIvBkp-Y$XU1>5jb
z47Dj^;6uaj7P;Swem-SYyejgLyrE2+IUQ$pYIq*DQq=$S!K7zjPLmf@5&M1iVMxJ-
z-DP@{;WfAP;~cRSujy4Y$Qb%b1|$5hr7ZHH)Fh+G!Ilj7P(l}S2(`wJvv85ha>=kx
zV%$cqj#p}1o%W|Tz8HeMT)XNE(K(gbN+ev|i6bT**npm6IK9{_FSWVI+Lpgco^fNZ
zy0+G{zm2@8T&EH1p{q_2X0FBx9&YL@C}45iQ=1A<bV+!YFPl|Saf|Hj=B@#?(<5OX
z(=WGf-8)F2vhR*9I-wq`z}F5RwLrqlxsfeq<be-#0I9uvHgV$7??5du`7AgLk^-%`
z#%a_RUSq9<D{Q(Nz2OS3CYt0Yd;oVfxGmMS!L_f`Q$=KD`R)leyU=OWRIR2@3?h~j
z%PU@Swj>HOgcj|av8PS`n#yG!EtH$#2Zo6<wZO<hSG`ofHMeK)eQ3!+ov>dN3rW&j
zU}1qWLw%7)uy`Z}_4Ro44NgXN_F90aLUupXu8)Kg`Dxzzw*{rV+VhBEW;Jq}Dd!;d
z{_1gTv<{tp;K|n6LdFEsf?R*DqptV;=HiG_jtnESABiI4o=$jH6H%2}`>@oAHFiR~
z1Sg`b>&!F%V1DQ_-fCF!1aW;ex>V&AT?x@`FAFu-Eh8u^lOw;CPaUHjy$#0(l*42+
zhrVBwh%;df@UdmceAO<2I}$G{Kdhvz+MUj*6U%|L!@ub9e`^-cY<8%<u%&cEas<`b
zWv@05{kb+&fh2d@8zNZ9?e|7H%UGXlM73uY4=y$K*t?78@fY@w4PS#mr>y?LkD>Q(
za1tyR9smU@jkpM(+NaPB4#fP$S2lvm;#{BH#pe`Q?c)|TpkeWxySDe7vP1A{{D1jL
z!AXGpqoqPlm!Q@!>)f}`&wh*q&BuF2duc!Rk<N^_@Xkr!HAb`b<Uk3%TJmllz!3e@
zokR85T8<~#a8Ems_6fs0{W3qqw{RMcI(S6{jnignz!>onH3^0+0Y!B1^i#0})LrTo
z?LT`;Wf7(T1%xhuVm>4sn1O)VCbMGxaAg7g?D1re*uG6R8+XOv`SpQ>zSxcW!K}?T
z3COroKijhlk`r`uw-)w7P9R|wNCvB2)A9bCY5{Q7LG66JLN4YFTPo%SkxrTO=LQ6q
z4rpx|y=dy+v1#_foQ@@~PEAXyt}o*CSN2E5@$VdGwE9`*kx`*zSrDlJWS(op{rFzH
zz=!EXl@|OsM8o4{l)Xg49fdMaM?fx#NHJ+C(tvlTT?xY7KX;O(GlGIp6cij0r*FAS
zJzOhKzBj0Afmn_lKx6?|8)$!6A1Jkf_TP{evb)@wa#K;KBwQ|eUE$~`6Xb5!O7kuz
z_;Sn|nGv0vMm1)t#PQG|Eg2P4HL);w#G8pl#2OA{f+OeC!Q?1P*0ZoRqGn4SXoclv
zf~zJ^Kh8Q(#?RjJd=s+w-5ZEQL;k8d?TXxxb;46hl*Xe@Ql*nH709H>48IA9F~8$y
zctWS$%-E8o{_CwwXo4dGR`Vm5+LU)(zp3D+`J}nWWNK3mqcdH|wG_oI1U?M2(0aC`
z9bSW@0tis1@J!AhWg>ZQ!xgV#ePx)(p?gy^yxHRXFwX-`ugqpK;!}*C55v^apHdzn
zYGbZu^M@4+VjeZXd<vEc)(sfh($jafH%BmJTHz%RJ3y`9EgcVxEajyUQ7bq3x0#vO
zM(;_lxHP%-G2N+R&m>k_sg5S78>8P&#O9BIN9U>9Z>KFr3SuwmS{jd)ccEgMis<`N
znsWI1^lu{Tm=b&OwtTh|<FRZ@Y#>LI6B^n2q{54p7R=&e#OIrP%h^ne$oF~xAlrc-
zHq+_7<KLpW&&$=KcPCW7C<fUN^n}o77Nr7qHsI_&1sM>1A6Fpu*l~2>u2=2%Km!8a
zz&TeIqMAC!_!IU>%7RdPw1+lr25<ck2N@<EJ!!}k3~~ts{j^yp5?s+Vta7hCQ9F(C
zEwYl$hMOHon?-I0EbG1{bKr<Y{ke76)kHbakvOIhzQzc);^7)jTvI6fZryMa5l1#b
zHkC(w3z~I>MU&ocRV|n+It}g#kmiLz+(%)B^IKuk=AUM8#OP-f#C7P#!6at6bQT)g
z#hbR!!ap{ijiNOX>1ORjY-y~EE>CB8Xxwj4_IAjDgw3fG?m*01p;?U9*)JlcGlC%&
zs=KmxUnax^g_d~eCeSXJm$LU~ThHL2snVVqkA8h51LR{#4xdv!05`aYJDL_2x`Eo;
z=x!;A)&5m7Y;(f=NqAj~cDvb0Mll~EDc2~jKl@T)yhB|@E<a%x^gdEk)Z?pHvxW}c
zNUNiHr>QgUidoe?mRi<IOG!+B1=?c_4O)hGp*%IdWpN9n6HqPF(!)H0$3Y$D9I~kk
z-Oe;U#=3{INF8IZCfD`OwlJ$#+(CtC)yK4Kbnr+Kp3>`dnnpj5)qaY8#c-OP-k0dP
ze*<v##<Q{Ul)~8H+wBigMWhV%HsUI3Q^7)~o1XeU>X{N?x5CigSS}Hh%Zn+3A1B7b
zhb+q?5i2@mwuu_ULw27<jBp0PzN2_|IKS%jPzdief3R^rtCYbdQ*66%ar=JC1S96>
zu?TbK<#r<K#q3<v{^pLfnl!f}9_>mn$Zr6!<;Ygt&Pp5U-L{R_J!@#)ZkCd%C{Awe
zF@`NHuN%(^-xHJ!Y2S*JvHO`~C>!3VT|w(EjPP{Fyk|<7yy+V8RW%n~RiU>dDNXh6
z<a&m^)MG~M(x*NWg&?G&_6IrjNCOm93-K(g{VzUvOi81^ZG-S)2f;o(hZsV>rlDr5
zn{>nbAOV#1Mw|Qbjk5uy|CtYSq>1$Plb`1GGAHsg0AG_G0-5ANdfz?E^FcSU=1ej%
zw1}^+9em@bWpU)cm|y;DS?S+?tH1`aU)jIuw5fR0YCcQeldh2;s?3izTi#swfm;PT
zWngq-^p)}*<EH>m39WqK6Zke}CFrWdv$BKF;%ik@Tvxhjf}Z<jglFFmAJ79%P&EPq
zX?K-yTT4cRts1(YtE~ckOuyjee?jZYYSn^2m6?F9F%EIf4lbSj5`6{8yx=VB{#nN0
zjT=SR_pJfFHEgSCZ#Da%zQN%yo}nO60-`tk!vBp+UsL~F;}_Hl(4wiHE+zFJ9=uY3
zM2kNRDq8^rAg3wneqKYC4JIXY_l`bkU$$_zbAVO%(G8A#@*ZX1yP7fjii`(}^AfKu
zgU`S^7Ur}g3G*2#qvX}Rvt^u7MuL+*&?uL(3HTDh5AutXqEw7??XYBljC!&&A>i;b
zokeb#ek%u>5TyvK#im5&;gB4Ru+!;RSnPL|K%-nd&8I1FxWhwzvOZUXY7*jhy_X9L
zYPm(~Iq6NoHU0#g7N=T(N?&F*^BCqYZhX;ts(Orf!bcz0SCwwpt9yH8HM3RQ%Mi_-
zDz2|*sviyVJ0o8hFEf6YZKCB>{QO)fY>x=}U9;lMQBt@=O~B+P>^>r|vjWZtyzbnR
z&?ymhRZ!TLWUh%^YCU?2uujxzIuZgClIm4%iOtT8+H<JB2wFx{)~p@L$P&+qvXae&
zs2sv+6;9(NGvkq5{A8Ws-<V|9$YUoQoLm~#!9=bT=?_+Vax!}F@P^3E8L0ejeQK{s
zFakF@02SB=%3P<ChiXlX$HWxjn^!U+S`>n&2{uVg!$a%|dh%jHlX>x=ZN>fNI#7jN
z^fQb}J)nvv=&Mc<4yaC%=(hd2cIL0c9s1yW(KXhu4|(X)RrptiG1GtnMtlz#p43|>
zB|F!#baWY}<X8E^1)#Q5Dett^%V*V0MCHy+$$%a|TTc;kE-r`@+E<7|5P&?-@{TR$
z8J?l4Q}qX*O>VSjcdU+P8rgAPry`U4Ozlsff7DY(HYNqiP%-PpCr5j#!sE6M>Z7yq
z#`dhtA^yCk1fvC$UcA>1t4(kZS++w2dq!4hf&J8Urth8<M>BK319M$MlXdi`2*I&m
zZJ$gJJEz+$8{<PqTgS1?@-hfPeW32`EAsw0%i%(nxD2~D*z8Pm!fG<EFRdvJkSORP
zc~PQVA5|#JBh!s6H>G#J7KY%0a(NtyJ<FwL=+FgR{Jfm$UmP~nhkb$mJMVaK96WM$
zZbAkHU%+mEsB#7?y5xj6I%P(q(2s5)@%6Utj3mrsgR<5h<|XI&wMmYR_Ew%Lnty$o
zSBD&(kf-|gO78)vX;+a}?ZkjsI>~bG)6t9Hr{=&hy+Pr6hSqtr1ye%{S<*cx%@$6-
z2Xn}O^&mvy7jT?s<Xy&;%;oltnQz!vs^a>}7}AZTC(I%<rMA#}@y+Ad-aD?ArO4^q
z>5&AXCbGSd=BTSz)t8FjvUUcGE)BhD6iSScKkRjy?n1f)qQsR(1YPE9My^J#-bH84
zGEMU-mX#ZJcYlZ;!_LUE`S2KE*oaVSR9-&#hk!5!9-0p^65frc>&^~h42r+E+xS-#
zH|f5c?kB?QlZeN+{{#!LUwx}7clvfy9ug|cXS<^;2GgpX_R8&{tc@&9!<~bL1uR6C
zQRq$@NfNqsxJ+zjTwio*UdX?iT4opMSL~HpLap!ayHT|0JkZczGdgT|IJV&jx`QPw
z(vn&>Xj}4kvE(jmrMn({O!$Ch%!{QT!W$IQ>^rxui~Z%rFXq}pD|RQv<fLAE5eph?
z^Bdqg+k?$cVlnGjxuH{dmDE|g4(B5T)vrX&3Ij8s(}nZ$Lu=p021bUu#BTAGF~8E7
z;h{+?u<CAZ#dk$suDCMh>kojCrnV>j92oZr+rvY=?Sk<3vec2^GCKY?t2Y?Z>^H_w
zv-o#~-GTni2A1@pMb;A!?>j*B<BPzN1g0UBeKv+HG|TU=_z|(9wlFOI0hYY!9LJn9
zYlIyeG9)8)>F#}J`VJsFLOU`R4F5)~C(AE~z;$_PI;arB09PNaqj!&%#x%Zoa9NmL
z@uBnZY6%{Wh;Xah<rDk=W|sOtmLRP(q8CR$5`%UvW&U3dty!F5+urZ6l-&OfngD@*
zOtW>5-kbiv{fP##Jb-oaBysL@jUn)0dQjabyi(SmWk3C;?9d)uP#%1|q5Jzd>)K$H
zF1^s}Q&;Fn?fs@2wM7Ior**GCZ^YMpvG#S?HP~N+du9=SyuETdI3Xr>da<50>`<MJ
zD1kW}7+s=YA9k*W=pJZV>NOu6k65}00C#Y<<Fk*dHgzmE<=ayF|8<f7gu3=%zThiS
zsIrs3mWmO7;EcDVIq`u}z@ZVNFGjJUM*?t)XT8~xFIpiNaapJY#zUlX9zt-0;9OnG
zx!qF7N$WT~$S78KXiYN)3I|bWptsTm)G<)6As(6i2h*3VxJhldHWL7F^+s3|0P4wv
zK#zy5Ef*#W*4{i(9JK<q`CflUPE{VeZ9l5uJnywmk<W-}m(B2jA}vHvaEH&5$$d^|
zF|9rLqOLgYi<sA_tyQ^;LL5O4wVL}=;;|jb56wZb<WQTAjrSwl$M&T6wI1p%1(5Qc
zm}JZIH~>1yik#rzM9+up6M8U+U^A^k!X`2#W0va<+0euE3tO1Wuuy1G<0U{_DoAtc
z*)e%o&YTx*p~tCg+M9v&+)H&c=ec#I=Q-iBB@!sRzwyyPukb~Wyy|es45pfql?a)L
zlTKb00YIun(5rYQ@!Kzv5RG@+`@uERD23t^@-7r3YAAPirCx7Sr)VHkKWR82s(pXk
z#=V1AINADBDE(n8tgi#n1lhh809oqPG|VXVO14Ws{HbxJzd@IKWv)-4fo{CTkJAlz
zQt_L}dicAX^sud6hSKi?VTU?tp-~sRkl0D`rhrUuuGM$laJI4pGN`h>>2Y+&Fi>V1
z7Ap<Fj}%>V<j9rtpt8J#j4@XAL=<Mzq7f3e%eUxdA4b#I%H=rj*R;eh)KQ%TMOd@K
z*`jfFT2(vI)LBEutjdM&$;R+TQn`y-AJLv14gh9nf}s3p??TiCMExyq#&o$CDIAQM
zfZh=d9eiLM(wnutaGRZ8+40mSSZ#aX!cHU#^QVJx;rjr>k~fkM-fX0%J?*2~xqC8P
z`hD`%Kc{G$OQxqX>l2Ree?+77jLB!j#899RFEOdi3W;4b{}!>m_^2M?u!OpQur}3n
zJEnDu2tJj}Z|TrSP8_qCC5HA$5pZpMY0dz}ear5$a76tHoTbo=S}C509b@nf;r6D@
z0<X-&$o9n88+*xzhWf&LXZ6qi!F%z)-Lg2vS!Kp|l|JXfv?24|ZeX%-AA9~Pl?9M}
zZ#FnR%3&u_K)G|!*Os97*)!VsaruG^ZB*p_gSkOw(F<{`Qo)2bAqtLYg-Q3*OGNv!
zF-vk4hJif@2LXvvJ`~2YXwx-U>c{+&JP3U_`C~_HE<)zgkdm`I0K+rm^Zt!5NTM%6
z8#Yupf}df)yLep~QCzBST+t4G<%KLM0tz0yl{x$7ay{hE%OFRm0hf4>)ddfN$cviF
zwjSNzEas3Wpn+}S<Ji=upSXo{90;N_xnCVQn)1QQ48DV($0C~Mi6v2q^K+1imJGw5
z2}hnLXU-P}Z8-gJjX0)rRGtIDgC^f?&>4CSN8eRZ+cC9%Bx?F6wE3y9vLqw$56!Y3
zZHL_QfT-N*$-dl<Q~~eY>0l&!WJ0`)a2V6E`HkPuWXR#Lc$1J;6+3YeCmdH#M(x)E
zTuzB_{6;g^)8T^3T{|JwLFL9LaixH0siw&t8=LtuZNW}JUP*c&pmx*CdMd6wGo&o7
zq>Z=vODtFq-ih7RGXt)jTv5jBBZ12;u1Qu|$UV-2>xJBzt3T$0O|q@|qnpSk1n)HM
zZ>#Iz3qbj9v|FL8TXuZ38(+CodeL-P+h&|nusb+t=uY~<r;NHz-{N{Rry<MPqP=Gh
zB&;2EAnnunBrn}f3?&Ivo*j1zhLyy*X6n0SDh)j*_Cm9vL%V(RC8-#}1)ix(&4Rf?
z+=Stq5h=9u%fjAyP3)!I!Q>AevflR45Dad>W!Q6w6gI%Dwx33~v;58n^Eq+Fn6*K6
zHTrzFBRE8DN<5WiSvfJVlgJ|nAv?$u>0~sj_6$_h%e4ZN`k^snG;Q`?JoQS>si|jS
zp16fqm*X+Ln(O`Cr(perz-C_Oh5wJz@*CF$!ic_nc<bA$0d2J_`zE^3%8uLno2C^*
z%W%k>WbG5^O>}&W<pS8KazQ7?yGIF3KAdSS6e&T=o7JcQ>ix?{mSXhVm}iAoO^7oJ
zYe&sA0PzIVqdb&AC5vhh-J7|$@>9$!Gr@SEO*p%2PD>T}r3w~5WkKhqvS_d1D;kvH
zxdWrHW+365xy_nN;1oQb;q+^k2Sd$YzxAQ$!b_fm-(ZZgn$w;$6Wyf@=irB7K;-BD
zS@^uu=_)!K2Ps1ZWY(J{$T^L+;GID-puk=_&ggjiXmPEKsC5(FXh4c{Yf6`+vDy4p
zvGr5Ev_P~0R#_F`<0q|>EJ{Xp*FG4n(0ddj6;(?MWP(xuOG?yMd(Y3}8&n|V-&q~=
zm*e2|kP|}JUghM5-aX6bLNmMx5lotYce>y5m%PiE(*vd3SlijjB^*@5qTY92Zqa=F
z2Nk{4(U8W#`WNN}N_sD`bHEC}zn%KBBT<oGz>+v!mVOhuYY_{=Oec~J3VTuijxpvN
zwn-s4>DybYZZBv*IL3a}$Odkhs1#3SF6jN3<pj1cqPF|x3@({8Ub3ULNaPth`>Uo$
zNWnn+5{#%Cd0!;F#I&~Q2cQfv#Hf(}wSd<-QfNl)T@d0Ele%;~n?k3KWG*c#1-__U
zGeEh{7Wb{Wt-k}*EXX+g=V(lSo(kmR$coCatT9I0*rGv-iStAKIUTWNf!&Os{|GQJ
z+U}h?6B&ZB0H<5C4}SJ7lrg7~^Emz`&p9+f_-BEg(*I1?PrQ<R3UXB=S$|RKGO?vY
z*2NCidxp0E)iliFi_7^R<g(uA{m;JroUfE-<LKf*Hf@<xucRp#=Xr;{ILf-r|JKYe
zp3g96aSCv`^*$cat+b`nuP%16mn-wX{YCCJJ@l$Hy*JWT#<J0+=XsH`2bZ=hK=2|4
zCr-yW)qWZWjEGn=4#4aBj51yKT6`L|BlmrKVGAFq&w@Y?TDF%o{sW%GG2MZ|{p~4D
zR<$Qld+0>3!Zshuw6dW5AJRC0j`C{SiZ&2Fx1o9O|9{FC|Ez@csT;`~f(3fz5-%Mk
z{nqaMGIFOJr_=NP!mR<K1*DQ;i<C~Gx6Uh|Lk$sM)vTHAAXr+`1WQz{H4`U^>cZ9q
zHoS;J2!Q#u!j1ag=5k;ZJ$f*YTn+hUiH!f^96GWUDBtp7UC{!ddF>Pe^v*wYI$4_P
zINz#xxzQl)3x)f^-@Z3qo~XJj=U|YKm(-WoJ2Ct1C%>|x?}g-xye$VO8z|9`jW_mb
zeCCU-s0-ZJ;<|}NaPKdSO1#f@h`&+PwzSb29+^n2CzNrXAQj%b^qYbL6wN)Q54u97
zx1Ia*5VZInYiB)(4LgCv5e#>7(}8BeK+{7DXtxvl_OOTxmyc=i!|R&vF){QmoKc*q
zbc}VMKnweXr9B4|FoIpQG)$`!vOY?PcOxv_4+qY+Y)T@)15vq$0RDl%pcA?+Ay-=2
zdg#mjzCoH^9aPCSiTpQqD>EvQiA@`l<XVVlw7PdUosM}np=l*&B0DkFhlen%y=3_x
zDbnQ14LYp>l4$4tnN|1W?Kb|Pl?TqH9A7Wr!eAIvd!xN$uTwZ=?XRum;R^ttANDfv
zEkV!C%f-VAtO78ABF7E<I%NnC5POQH^pPDd8`)kNy+ou;nY2!3WS$t)u3XNGUl(tg
zlN}-emGnS@2M%|e>zT2hSgs$pPkNJC%{mZVy+o-#TwjPwZQs~Q5#lDp&HPg*Vkg5j
zb^1jf;wS#~FHHE5l}l(`H>rEX<2<5{%q{sl4s%j^*V*;mT5!R4*c;x3;2&;B|Hx@b
z)*;n%WbQ9+NRcqdA$_3J?0<lloPcVPP?nf#C@D<8dnPh@xP_@?SO5xlRuC;D_4D&j
zFPt0$D7RZFVRn3)HMPV~J<^n*+nUsc!Gr)5a9&$LOi4B$CPxA)uilgH0v#>&@()rZ
z{lR-@qVG(uyoY-rupol#>c=}9ov@-)P}=481Qte%gdYuGxYo=#?P3<vVzNC#_&dv*
zA39+c(mS9eq<sab$>FPmW+5L$&Ek7ab;J&rRu3AWz$Llt#ScWLC_o|(ZtALh3kk!9
zTI?zk74cZ4zV6)_6n&un9(jYpDiaL-9bKMWnS%dw<pu|<exX6F*oSFBbsG*SVy4^A
z;E+v41d8xgTovMXGO9QJi0q@<cP4X@ub3WcPl_UVBkS{fJ>7=<5uRjR3}Gl)eTh?X
zwDSeWXDrZO83)k>fLJ9A`_-3hb`2WpZcmKYr;s-|{5wWm*xJp1BUp7!`{eYyI5~0E
z*;7`z7F*jl!ikKP$Jx4P1>Yyv!FdfkG-8`}Yb2EEEu&GmkeSG5;>G&OLWDK@mY~V=
zZkV!r!-gGUFqJO1RDU;ho;SiHU6_mXbc~hJu@Q0qppu!^13Vs(H#?zdvB<!3G3Y6K
zM!`4t4dgU@i3QWAn9<I9iYKw!Z~MyR((kw{)A4V+NcTi<p|k@DtBy&pb(sn+;+<m!
zoN!LV-4@ySVhLVO${q1IbW(l=wv4OxPPE-xq|kblsbayH+>emqJ3h0?uw7U)^GRNh
zsBoIl3~m4uj#21+CS=Jr@}i+}!$g4HW4GC4gj636>CM?r<aP+~A$8(1*FYI`dDv^}
zT(!Fo!da*b;c1E~Y=)kwZCq~8(915~Kw?KhY$j%NhN@~dcBbabW^m-uGzygS8Y4#`
z+r3=+y!$D$p2+yK#fK}A<QJVr$7}sL7A2-Q1ROYq{SDCq${1&Z_1IPZZH7yA`l8eU
z?Vx|!>Z;ZKg}g|pqO;0-kqXQu>}%cYrkUb3U0p%{<N=c=)9~wF(vMgm`pv#`Q0%M8
z6-!A!>+F^5zn&8HDvsR7d>G91&O_CnKkqr=I;b|$J!t})Sc?kK0p2V8l+rpwg$-Q_
zJuB&3I|RXFfgrSOY}~7@p^>&g%Q{pbRBXQpc8fBIyVDZ&xc1j94K4o`bKf;Qzp!BO
zp-=TYvv`ZE(~86S3L5$Jyw16)U(U)DKbjp~cm=r6K8tjlrk^c(yw07Bi$BN(z8cx~
zsfroDUdJ38o~7849~4LgW2HyJsAp*NyMHC}a-$#m7LSMWwbB5pG=0r+Fm^jx9(e~6
z*Un2y3?0So#lzUi741bH+N{<ha~5nO*<2~v?hlEVDG}OjKSbxNbJtG1(*B%o8MnbX
zxWFzh!4hx5mvqzvnMBd?iyaeO;*F$9r;wAtgc5iqBy0oJktF(F74Rgc;R~m1vn!A2
zMZB~_O+z;9i00p_LTTuU<Vks-DcLxIY<e&LTuW4v?S0q0(HD@w`?eBnkL+37)*?DO
z#k3;&i*lLZ9E<d65B%znv%LO(WDr!xAxXQCC9$?jrKG9n3JaeQM=wtmhH{3PzZ9t#
zQs7}9iXni`9QmwX$qqDu?P}l8nkWyePmu~+cb`3y`i2cykpuBKk}xBCERI}5tiT2h
z*|VWV9aPgDWOpRv2bpGH;};j<ta1Wxhh!ZCCZX1hfp^&@z@#6`26G5_PL-z+%D5L8
zm&{Ki`@QiE3r@RpCv%8YDzHoafI(pDgW4p}+zvnpOx(}KiPesA@ySDZWWgR92`a9x
zfDES+V5#kCF&0qNiNNw%jg~Wia4KNk^%r_&^Sd+pRz+|cYb&V2^{36h`x&@wDO~Sl
z5UoV3MSamV2ZXqwY^SGT!_a>5OTW^N43mT(3T+s6{La3}lwlT8=Gpfl!`dZQv<DRc
z{#;xg9n&$FUw^25l*4Z&<2!EHv3pnk2tH~=Jt-^2Zt9lyjC9Yo^p#&UG^>Q#G_~<r
zsgfN~F|`6qGVhg^+!pLX1%_qKYnK9cGgK~T&`9Yt&dZ&q+48Cs{3{}J;fY~@B1a{8
za>XNgAjiq|GQX-j11BCi5v0i21Y7b+fsFjKMKco%@2j`fW(kYviMHv0V~mLd+RR@j
zoUQ4A_IoMSq<wA;@7$;Ie^^#nrz(;{<U{2@BQUQPTnK%k4~fIndhskNuADwOaA5Q1
z$}n2*#bPQL+J9U|(cIW8OvHr#O0__aUNronvZyoEUi^rnH%tp7q)}pLgG>*UaMpjI
zCt+l;kqV9Me#ob-RyFe9o}2>1MgLq}9+;P61u6TGpKmkwKfDx9{}VL(^BnXqZ<>Hf
zs`Vhy<jkMB2LH@YK8~yIS{x_~V37YXQVk4SyVx&%atL1gv_)Am0OkGTZyj8IYogKO
zZG_6{w%XH;W<Yz_e*I$qy5jzp-iJPcr!p2N-}2f9o~!|y!n-zs-m1EH^a0&opBpPc
zW!FR{TL169{VtITOsH{y3AGMBsP)cgSuY5I!L!0NefUBp6)THyeV6CQ*D5pt5-1K=
zNvnz{8b$%2<4kuEd=q4s&zTZ`9?+LGXfVjz^8;`vI~J+C|Ma0EvPq4P%lzSxp?SQD
zv%Rbv7*Y$ZJ^9e*tCyeEbIyi%RQW3|Jzwo%_2ENe6ae#vtrY^@TXv~pdTBabUoRb$
zQl3N3^9g+Zb>p2>)ofrseYif+?zmO1UxlTbN(;dIgGnNiD(S8wt}8*uGMIe|ZiLMv
z23g6w1c?0{V8mx~UdJM8j!=%s^zb$q_hVv2Ewmz!z5^P5p4Qspq0r~|f4@TRtKY`y
zH;0h#+}7p?p-X+gpEL(%J%diZcUpbRJYIE&T<V0)qj~Jf<`0p+8J(XZv4ECh)R2IH
zRsQx20r`@VFYY7NBg!i)yy!_yME5{+_HZ&Y^!c0LuQ8Lmb&P&9=6VG@s((Y6cF^jn
z%+K@FOnJ3%p5rb$Z0{U!&-a*Rv)|u{yqfy3TJPc7-Ou;`uDZz1?}WTl(ztkO(d$>V
zX{oo>>3t_>;LSyR>Viaa8G%=`)6G!k{X;!XDKs#$lGP4wz467ur#-qw-0f=CoY|`+
z-|sziEuA?1sbMtL&1w#z2YCI(KFm3hg^snJ&4R`LAXc>?Bt7?3GI8|UGd~E@wxRpl
zH-Fna9xG+y&wL-VLLPVOc6;7e+ZGI9SOJY~H~J`KJ}y~RlMb9_T{cYKWjMzEEunch
zn#h}8HK-ggCYkD7iumF-+tm)}ZmXy&F1mEqV{CLw=45fIx{mJmOvOD<`+lZiigjMs
zpu)>ggsgz9-lc}?E3m9uBQc%vn-QNw)aKL9IM9NUFpL%cP3T^rTC!sOx6fQwtPP5D
zQ4m=VD;#G{qDy#q{U)X)jk1cTFDlYnm8Hf#djx3GIv9YSt3CPTTq{AIEB;B|=6tRE
z!4wUi>R-6PsO=s{WpK*tyb$ajeWS=3@pSQy6l1?e^kTSF`#=781p<-7&tyL+v0pXa
R4+LzG-SLyh%8vTn_#YQ&GxGod

literal 0
HcmV?d00001

diff --git a/doc/sonic-build-system/images/pypi-version-upgrade-automation.png b/doc/sonic-build-system/images/pypi-version-upgrade-automation.png
new file mode 100644
index 0000000000000000000000000000000000000000..778c91f648cd176634f06ba3ed757d1185489239
GIT binary patch
literal 38968
zcmb^Z1yodT_%@6VDX1u=2$F(?64KHojMA;dfGFJ(Lx-e@(%ndkgpv-!fRyym(xEa8
zHH;E73^m`z-+9mbf7d$aTkAXPtfgCK*n2;9KX+W$^%$qG3#Pfuav1~y(L8zl$Pfe~
zRRMv>Sg0t0Z(hr$2m$|)cpHLMLA6NMP2dB$gNhDt$Ctz_r#2M8XKK&KX5JtWz0bv8
zl4W}if8a|lAN6NGYF>6WK29F)oW@RWb|A3_Vh?0Rfj?rLq7t$a60#2-zG^Y!1%Wb)
zo;*@9_P4^Eg?O^!^U(pJe|sDzf*GkuBlykI_%%P+cJjE*3N55?%xC1LOw(A`aer;_
zK6Ze0;vPWd9tMGzmU{AUyc)`yQ%-E^jEfuF9sb)jBlK{Jv0}m9jC;Y*f|lc|S)#;U
zgEVpyawo-{QBHP$!Wl~BQ+>VIr~2?f&9##o28Jdd^v%*KOhdQuXX_%j-5-*JK%90g
z7$OM>WEf2gd@_vt?^?hKGVwzV-hg@jjDUr%4>LPCJE!!<GvzMC-xNv-*k8}y2I)VE
z;so9B-JH0~%)*kwz^B{)_jey=;up*9+jgkI^m^y%d){WBpT9n%2Blr%qEepAm-EwA
zB&;zogtpNYZcZeBNJzK_Bdq7z4W!(K3V^iPE^f+G3^890-q(={*eit?GS}49c&&us
z2lh}y7<v#taLczwr-ALm8Ea{7B?EgAw#<y^-(oJ~S+FGuKf@e*y`1fWzn^r(WagjO
zT6c`ydC8P(ci`FpV_VO#a2K_CW5^u-k&~PxOU%tv(QEAuj9gM`CCN<dyDhR_bUzHC
za3l3Mjn|oFyrtaai}Sjcvqry-1i9U$!|fR@Z*QOHq~V;ZwBZ8d?S)UR0@Q`A+g&ri
zO6&}~aHJF1o|Y94r+O}CF~Z~}p4MI+MP5;x7e82yye@W+oKp&TEX8SVyJ^NM^^0gr
zBPtskRT!Xq<dkDFmzW;6P2&|XMy<x(fT4e?r4=8Haj`CWN~J6a%<$duiA)^v$f;xW
z!-5F<@TjMlTbAa%bh(6cslp?s1Z3(qy20*&P@=-0Z)D|<C_&M*5uhIEpH&r^z=KKz
zYGS-Fx&`v3<%82Kv%=(^lKC0&AN&kY^M@SW_r_^alG>wI^c|UxBlSIvHwuDwMMG3U
zw16paW~@>rB`j`ij4uAzhCWfm{DcL1HCxIl+;?a!XOtb32-@^@P$;1Q$4ihy<fTTd
zCrh|hU1n;VT0opkz&aYpPVU!*ow)=JxrJH<<JGg99J_=E`~v)&Etzv%j{OEzPTt+D
zZZ~}3<1{8qJfV=$nY2FJdOGrM5=8rmic~)dd34%!MZ`9z$XCLC0Ks&JED5>o{d42A
z%`np;7#YB9?QiHVq21q8eMM|Mctp^HrI1@^hDnA)Q)j}<CSBsau*6WL`AzNqE{nSU
z>fYbbC$-y5Ictjx@nYPn^MYqJ9w9?{saHX#R4Sl5?-LRRmCh!WP^^?4{usOLhC9I$
z>l1zZYZDbPgp70WvKb7Qov3}3?Kq%Ns;D_R8_W=6UuZ2fGP9Wa=~$@s?Cr42?WPtl
zh@7Mrk|W#0BW}1*$@=_2k7#T^iVSlHO~eB;nt~)-E2IeQ94RU1xlvjo%p$8XI$W=1
zDZAx;Sl;aw^7Au9OtL|^d8jS<MEk+sByFh;zxIQq&44~1b}rB#Mn`e-Bzsxr4@#gB
zE2x4P$cZ4p2a?nsENdnq{C2R;gMti?Z=tbA*_Kv>7|5>)`wefb@UT-1Zo_*Ty)!=Z
zp^h3P4;WPOfv10B5YMxtH$xmNg&xPA^5(n8ziUJWHYQ#|pAal9aIa5a9oC^VjG!qR
z7?p{VuC5Jl9EZVrm<~vpiZlrf)<NdUyaWb`ZKIdH(wLFkNc>)c5}{E(CTcPlh7DG~
ze1TJk_ps4Tl#E9l$ZUJ#H(d4--ANux1DinJ196yvu#bEc6iQYf!-0YS-JlwyU@LQ?
z_AnLZqfut^AfWSnHy!n7Egu~(o{=Dl^Ptk(fJG%FDxE(=7LF#YZNR=oq%t~RPv{^o
zLkTcw2HRC>iWh(SEnQCR-|xfUTsyq9={+;EIzIE=krt#5bor&NZI2a$Q-K_v?B!Ai
zFT7raKg^A@Lf%9ua04OrJm^4%La(s+Kyt(7Z}9PE1&$?Lf}5PA{}u<wDD&Oy2Kg{m
zRc}hX9(vZ|&dV!$gBuRcO!qXH!ty2~OB;-1*@V`^gpOGbn@InS@ZDsEo`ZdiX+y?(
zA}K_n;I>%pqVWm)?fm$D21%B+|KrxqPL-e$w>Q`1B)?B9HO{*1o+_lv(+diRu%8p&
z)ShwikjvEdu5e<)YCsc!Yv$};xxQBDI3^DLD1gp;K9dpbSU0_VsNRQZIz?~(?cgQ4
zP$cOBYy3U^{!=d`om9}1(9z+Ixka<$zV*U-X-fy<tJkcjEz5QZc}+u~I^U5K5*TkQ
z<g$I)JF-q~Hw_v2XR6=EQp=7dM}|bAAxh}`(IXsxqZ2e_&I_6P$5#@EFkvB2q|Og-
zY(5(o1QW-R3;UgUd(j`>^i6c{_o40i{D-MsP5($zSc`}IaFLTdsI?kFmX)wr>|OuD
z(vfo3|FwNJ3bFohLC`@rPB7>oM^N$#uibQqXV)0_v;wJ%ab&h+s0{J9&{0lA9kX&P
z;LdK%)Iu6&7O5$3=X&d<7K5X75**N!Ij#d4NcpG8^{~<``ni4CJ5z#Soov?vR(#B>
z;YwY9YMn4FhV1<u{eqGdQ>b8U80F^Y0?rVf^Ei$(;Kj!mFU}N()X(gJwWoR<aXcUI
zp$~3p)oGnT?mQ(16j0v})#8Bh+~%03D|Y?pn$9fjoc8<dMP_u`80)b=SkF51@OU5m
z{fc~smP0abUvFdMZ-*4og)&JISb&%?<5DO0P^ui(5gJAY9atF;4gWT=hk#gF7|&O}
zHCS<1ye_z$*KX4sjn|XbT+godBpvJcDm?d*`3ihIPp)1(K!L~&82>G5(uw!9<lnNg
z`aPm>L%Gp&emoft$nyL4#(WGh=lj*JMR99VCN7?V+l6EtPlotjUgG5bljnXk=x6g5
zVGj}q_D;BH*m-b}P}me$@|c&!`2FwkzmK|;s8uU+P_AoSHdaU3d{5y^DOrSkC&ybu
z`8;1{-((Oa$sTj4(t=(h^IR*lS%-*@j(O>~`B^SUaY{NkB`d#7;LlA<AnxBK?6AOH
zb8^0Wsp(AaB+;$~xt-5k<qQG*>N_A$m~+w9rxM`a6yQ4ro1)0CDGc7PIG7gX*fOxZ
z|J}~1e6zx!7WMwJ<lyx1l;VgOt6;49<)G@t=j%%9F?{|}x&Nyh+z;>3L*E2U?zmpp
z8Jf1k<-8pEDhRmSWwF?rZNQqxxxcoR+n>SqUx^=dz)>RJ&rT+`>(}*oQN#Po*x?jd
z82wAD;?I5cIdwwKGkMorzV)YHPVf|^Coi?=rin#d<Lo`~{2OwDo3qf>fMHdasf|Tg
z^D|}C;Oq&Z=Lv<`+rBpS1{v)gW-PpmW;INUUOG2@*4aCuXR4`rA>PS|yY&J4_7~|6
zf`ZcxShVLGm5*P(#Bu*TCY(;{4qN3YkbKPO&Z#@%-Te4v{nL;b$>S08yfD&dM3;#f
zP0)Xf?C9>Ek?YYuw@lBhkQzohVHV%#ZJ$yQQaow(2_e&t{&1$;X&{IS(>b5H%$W~N
zvDp0l{ElSu7cHHD5S95`3N8a#2o!mucj1VfAmZkM%&=m|{IXZqT>Ys5XNb^oj{N_A
zaACn)^F@inJ~(pS@2FfU&owQ;VYgn|*`f1sW`M9}<osef!6CK-DtlsnAh`wj6?ed_
znHwBNGj7~BowZ<L-8+c@0_@tm#tlb(&(H$r3GOa?$S`G2fLqDB4CVWRk@lM*?~lz%
z{(0|fM5=+q{gL%IRYlP)RzpZ;i8=l&lyGrw(dp9nWA;lKiWLEDFmRMW2+gs%`~ew>
zKG2$stejj~*<B0S)+3v9e!cxg>g<&QA(>6b;jUtlSqqb2QMKxYp#lz!&gUaDs(eol
zIw(Wj*x1-`H~;hB#SQ!`L0AMXV}Vm4kheons$>7HjQMcM-H!ym-IkVn+TcQs)>493
zvrom{*3~v;%|dtwm$~(Aadonb<^$Y2&Y;<Hezl0ZUO&5G0S?JC6O+H-!l=AL7i6|%
zy)roJ-ZPd-`dJ4`j$s)V?V#|RbqH4vyG`#O=-u&|(mEOtBM`XQ^Tjv33s3S8D0ZvR
zfQKE)&(K%Ry|87Au*h@&hT!#**!x}^!IK-RgyGngerA#h+GhWyGS|eEL`4Up&G~W8
zK@&;%9dZ(?rocmIv$lsp!nIl)qp9N!1QOMg$c)7x(F!JTP*eu{S?#c#uOCtnX;hY2
zT-My%*PcB|R=RB!SlF<e)X=;AKhl6axvR>h-e}~&6_Ga1)KvHWF}lJsytTwnZpUAN
zk$GW$HoC<3t>Y5BPfgqIzl=}F-G861N|u;`XdJ$I)u<seVaQ>3m@RtmowZv^gNNX7
zo~RX?;`m2P`(3RJLD3cxWx5CuqlAP6PhH#ITLdbjFhjwUOCmUnJ+EXRwKZ_6;Vh|$
zZlhM4L7%BGB)~8ZNOfq*6MJj-)Ql^iv<dfzBXYrZom=;DrouFe4p!D_MwCH+IxorG
zxvI<#BoQB${eRQQ1Rs4y++A<8jK{X$Vu?yipoARrv;|AC1(IhW4H%{9%OpUXj%i`;
zCBEA~2F~zLH!CGUajI0LwDAd)o0Uo6$o^k&5iliv83Uu$v5!0QQM6I<Pq5w$9n{b`
zG2<H&f#7r?e+&-uVWa|eU1Zf_ii*M=N4+9zrvz7OEpSAm2>8VN@;DufLgdMY4BE@y
zbonPv<@jshhaWOS--n4M8hP@^Sz*CpR^^u-J8>UKcMx<ED9LCqB6;)pxPgr4sxtCT
z(!@C{W-?AoZETi8I`16>s`XT8f61UAL;ZJgEIf9+@1mX%4iW1Uezi$8R<4u#Q0Z29
z1hDxvZ|=|;&ObnGG(7dztu=o#qdSrk&oMG05cV->7Y6=OXYJuZqAYPyun>-ZC)yFu
z&$7GG3iB-us~L+%&S|Ne;>WgD%W;syyyw=ZznEk$UsZMm?B1w+p9+DScaaHEWydh&
zAP!oYnJ>$IbQ18nb_a99tnexGl$`@ZB<y8&2m<9`y%wnGA<&4E9CRnE4XEe54xP`b
zwbKh0TyT2^*-f5za8$_&N0uG4JS7zlXq|5x*-ByUi+(F1!{jv2HGzQ)swT1n`xLKT
zH#R$)1!2(%dXuxho-x5&E0Jwb_@eQkY@fIofX-(<qj)}eald9F=gCG%;##VnVzRgc
za<*)|vEs3w3mw?S<x^uz%TP_r@?f$xs2m8KMK5YCVR!g+^B%-baVUk#*TtD{Rwl<3
zm6xBUWD0ix-7TxB8HwVExE}5WY_dugnnzpnO)g$PyC}RNT8`f9!^sxzu-?TV>-LBm
zyIRyxX09DbpBk7Z$+C*yW61@QE<a}Pg7n!$(RLIdP?j0cKM-g7|I_P3H_Gs;z~Aqs
zZC||T0^C0<Yg+UbrooiET08W~FmLo=tMB%X5UBDhFws@Ao~z+)`$##Q=~taxsR0H2
z;!9wm?ewpa>6_q}gX$zCCFd*%K8%i-`6k>=knuIZ3z>}MO6%>mZVLz9UpYS9E`!15
zmPx}0fds9xwQ`(O<2A^b0k~~i{XM1VW%8mNU;xf{9<ucC(}p_(xo~CNsv~WQGN|fe
zO6}YJJupRj@xc4U#Gx-Q`_@)FBPYhjp1W_Ks&IszenDIU8MCL}C9TW>(&3>?9KoDw
zYHDIqQuY~};3P_}#DvRDEiJjp#p>}l=gL6(p}>Ux!xF@|_Q$~-1He3ECj2GHmqJf4
z6LWJ;fp0)Xc|e~Ab%!hhbsx|u^63>cYV9{QHxB}f?Tow&J=idi@!QQid(sZT3Jfu(
zbyjYfpl=7jzD*m6W8l;NLjcUh*2`-`ctjFNhhUiIg<<u&6UbN3&M2<4vrkX!=F4E_
z=H_bvP>>8P>RO)94Ui^KJv<P4H3(_29}(l0k=-gOQF`ULk`%*r)<LY^4^0~aX<uL)
z0~%nkoxlHAN0`fWl?iXrM!!yRYWYpCvtwU|7$3;|Gq&FQnVZCH4=QC=V5DEzltLHD
zQ(mBi+49Gi^Pj_9S{p6PZ61RQ-lh*VE;a`fyx@$Wy$dH=iW08Vt9S;}>eg$Dh@}*x
zdDJ^-XC5(m1tkVj0bUi*=9P)u1k98fE@3S*2${UmVp%?F0<PfCB>4jj-nK`;FQDXp
zI=`Pz=2PLx?1~bNn*V+ko;JC<%C>Z4+Mxs`OmmGTG=-j3Vr<h=on-^)#X*zMv(Mjz
zDUxnRadJjCE~3(t-loGPcpRxenxbkqC%m$8G)~q=U%aw2a0jZetB)_K(k9)p68~FK
z7;4_QScbZzkT|3L;jS2s8qi^uV;?b%LA!6m8dRkAU$f13b7~)=#IT-W7vBN(zJ1YG
zU@rcSu?43LK_*e@Lp~P0*+<D<%n!V2Bf^<`<ffynKKNJUjQtUx1jbl)SBy<^Qp*@t
z{pE|OxO1}?N)yhgOivdP9u@CBVNkbN_A@p$;d@Dms;sPWwdMMuo`En~N-QloPtw!f
zi9g=wrvY$@Lg2?M<r-v3?%OX=VhW<wly?U0l)ZrV$cq<EEYgO;vjHGvN=C?!O~$Jy
z@B5vq#WEW(IE3HNBoUa&=T#%qHjS3+>0APtB!|Ger;6`Ct<B2cKEZZ)sOmE=bq3xQ
znTi4K?8Y2^KH(qA5EA#k4jBE=&Rhe=5Yz+=d+UwvuL^F(-a&}pazF*OQW|_KKBNCY
zValoo=n`VX1`l$+c=Iy>V1<-eBJ_y|jBG41!1^5mh{9BO2D~x&gWQurh`5CSO3bbN
z2R_G(S)VP6v*>N3@dr6IHnumaFqieW7Q%4A(dlr0u%tA;$wgK9`6BcKd-Ayk+4t|?
zcP1=Zpl$V3s9K*fuWV`Nm&Pz{qHx>5Edm@gm`F=*tPC_?w-)UKEPBFK=YMYjFdqJr
zhbZCvzP{XHeLV*f|3=Yex!+;N{^gdGY1g@^vUr7DHWK2!m<9#hVedNbKi{HK`Nrr7
z)AG}gZvS$BNo6zIi>dscJIwX(uik7rz&MlvaDub^@84Gq;u9%Pi}S|;%ugI~I}NU{
zYc4#Q%oR8iz6U^e>ODe!n{@Ilq5N7!EC-cpG-|*~eFR(-moTK&7AhP)2+`5eS<jWC
zsj8GbvzXQ@jtQ=_EDvkgUmt1EdhG+;nUMiM=&yYteqy+*inv#1S<dGLK?F8INJ{}1
z_^|>Q)v$hty3uZzHXX2;Y%bjBDTEvF>5uOMrX?3wImrYJq(jsX3I*QqA)rj`ER2yx
z#c%P|C6rj{WiBf5A1gGhX-|p!4SOEv$FcQO)M906@V4c+ltBm?+)k^mAE#hZHYA*r
zkQ^ds2VN<9?2xz<=-kjahkB#35|5srb0-1D{NP|Y2%ByxJQ=3fLF}_0>^T1!CgRN`
z(yaB`)}@hni5{$!*5W#s0%K)8k~?9T`Sp_vtw#L7su*Ho6@-x_Z0d#GJHcbG(<tww
zM>FBrb_@290|Uakbcd6sbs6sD-NS7L=9Hgwc&H^A{E&c63u#}OwBrSR>{OhSTeVV`
zC%bf#kC75wmSbyvKlymb+T}-eGBy+sU;i-UYnGI7>kyCEvbHW{mG>V@`ytFeE8?J6
znDL3Ciy=uOijxPqx@tz)<~Y|sFUI#l<F@+{L{6pCpVmWjohnAVt--(4nAzOYtk0p}
zSW%KPGEP{)t7OLH*M%N_;yt~{4|uOmFNbd^TDG<f6(|G^+quZZWPmt?!rW#*tF+@0
z*n!OUgS+C#45bQQ=3?iB(J<ksF)Pq>g*eOF_%Lqe0R3xfAM%vKOwPMIh}LV}df+u{
zqBYS1cJ@PLu5d#T$%IlmuOq5tc(m!U<a<<SCY)=W6UdS!!}jc8A+HgsF9%VzcNX{3
zACJ~n*zPwvKOn0Q(yF_9xRX**j#vIz#;t@nTe7>aQ?6d@H8&s~DqNS?I6$`2Zrz#}
zCO3b-Z`|&&tVTo<|0OE|tnH*Tb`PTzB+n48oA=OW5ORV$D_QihfKw~0$aZ-H*^ln0
zMT%jcPOofs$(yFalSPbznIuno9@Ely-=>faJx)1IB;tu?!mLW}gO&zhKZqReHeoub
zVNGrYrXGrGn86r6#p7J#2G}G$>l~saxMP>~v`lfY_rMX0bors1f)8cahzK0wZ$UiY
zq&(Z$=52K^>?D_hf*MlyKE8b!`iH%*1M)68q<%8QE4jpQ-S4_<3MBFRP{OxVywdd>
z4i<d@?PlEd9_VWW2#XdUKfIjW=Fa1!lPp+?&zG5(Eh^`xP{t4s**%StE{%^b+`6+y
zxet8jI*jlRgv6v1#b~$56BKS?C8-3wlw4#AH->RP!o?iUN%~DHzkl?chbr#X@9zOJ
z-ltKP>AidL)~Bk=K+ZP?nwp=#XMNPgw3dtCy7Y&c50npuhPr!<6hIVodFVF7+za;&
zu)7a@3QOb^>WJSL9X{(7;C#n5mOUJ2<#iQBK$}S6(12=}Pl`Awx@D0q)l9EP*OZOp
z2OAtKgPFUlfV{%Gv#>2srgZjW7w+*~uF-9FZCNqv#DY8a+C#Y|-MPl%{wto%GYQLF
zE8c$#`X;mO*S;>yn;a1WHE;@U&>z`uD9h$tkS$i<`0wG>o$1wLYzZPUBux7=|DWZw
z>V7FfOaQr6rjF06bE~eFkCdEen?hbEF*NnI1N7e3LNYEO=b+VvJ&eb~P+@g)D#y9i
zc_NxP$C^w%C9X=lRlq({hN@+<@;7D48}oLPZ|O863_-3doqiVZla!Qrs6_p)tI;i^
z&v(=&ft4j$?b2`sLVlfC<&G8iUrkz~(^$cN9Lp~XO~sMw+XWf6HdB(B=DN<7!vC%s
zI7c@}E-!Pg&m3Pr?n=eCN<aB>H4T4++@Ia4RgM|C{L9@%FB$D(%i*2t!R?r|Sc`vO
zHXGQ+d-%Q`|3yn`E94H@ALASIF=a}L$O5<aKCc_ZAc1C`+ji4AlDs>?c=&DGy+!q8
z_3bq%acnGN0hRFMNdV>>)^>D-h!Du!j4D-DxI<nnyg3f>X!{!@Pdwe<+qNdQu8u=k
z0wqozsor|~%v3?o#-8@s%@W$ASH6YB&Tsb`^N7i*26ZIhlD;uW@Q27Xrs)$v5|BAe
zQ5&0khb?8K#<jTI*HS(HOI)T+a&X@z@b<FgZgWD$NwA3kRx22`ZFV={lW#;sHcc^$
z*n+-hFuSM*R<(DfJpLvm>2{8rFl$B_;88~CY?ph}`h=}g_Hi3xY_PM~u%k->_$7cF
zOTWL4e;ueyrMh&BjZM<QCG2N3lkG}-h}Y4dpMOFN<5MTjqec3yPkXJi>N7Js%580D
z3Fj8d4)BI6KC>sj&3)OD^8~4t-!XCMDp7&=xHxiE^=G4CLC9^LfZqFYy~5GGbbb~y
zY;uMZEB7s++t2~rkdKnpcf)4}p9c5k2MKt?9R<i&<x}e?2aXNWE5Sy%-6fay+2GT^
zeQ87b-cg)Wc^Po4kV6x~Ne3}VJo{(1xWkTKy-yUn{iIzW(S6F|rI;vQN}OIo$PF`5
zOvI1$rF#F>gy2FW-60iUX)JU$pMUm<%{nvbz1r{YmWJ6$hP0y*TDkJ&JsD56pH!zA
zKD+v=#dqmdi<*O8qK^w`?n9^AkZC6+MpMoz25qq3k$DHZNyHJCg>!e?<qkH)&ZO(W
znVTH}LcT`AYBjVG`V7Z4`a_UouF93mzA^L9VOrO1X1p@lCu)HhJWkMBYRzO%Yp?LW
zZ7WVm8LS}GJ8KBm<<QRhiXYmV-;&D1;Y~d=UU)<~SD~tCA?}w`B2N|#pPd@SsK|Ko
z<D*--pO~ACgZV>l-()(>Y7Q%Bb$#-=B&5N0WM?%pL^7H@sNu3g3+aM>Oa(!n^~<@H
z=3II7ic$VM13u2_fm^<+hWYPAk9yVlUQQXdWDGSP)S$$KqRFOJsZ^&OVcTc;6={?(
z=K7ddrY`bkDc}8RvCL5aEuybi_d8*~wBBu@fp?Am-KU7rbkF&>t{mD}<f;K!&TUR5
zV5H>y#7U;h%z71HpVzls4raMQ<vNLaua9D#V+f`4afKwpe%6dC&^x`PE@6}1Yns#w
zCW9}blbxax;5Ax5gRI+Dq{A-Fr&;kf+q88^w?vg@zR;Uf_=O~%2Z66@#4pC=R-DU=
zy*NXp)$9E3s5tg8cPRT2HYuy+i|laH(pmx13&XFWq7xH99&XISMRfx$;&+B?=@8Q2
zZ5@4gw9%sB?ep{zY=~9E{W@`AhjI8+ptHo~g{NwIK(%sr?e4AC5b7egeIxfdPH!cP
zgjv()rH>NX_u1ue1yziY`f1h)%ubZpC|s?1!A)FpS$8bio5xTT**v?<{cERZL`q@_
zxm3Soz5W(fqg9NJ4}g_FT9Yr>_gg)svprWF<RgyxoGlEIXFNcjbO@n6zUNcOx1KV-
zyse80u<bbs5^&1RI4aoMsMY;mSpt`3E=kzc07@qbUD(z1@3wK3R6vqwz-7LE`8LMj
z_;sb)TFY{v%Z9Yt)Ek-Gp&e^_+P9EwI%8+HaU>Gd!_8x`poqE=DPBL<(cw;UHuV;p
z^a5~=;|5TMOB6COFfc%!gwH;d7T!3faOxyo3GfVe0^*h3?{qj2cnh<=W|FzVcZMLn
zG2adDBXtjD{K#LtjT9Fjd^{z(v3x-CCE-?Hdtd;2y5VPXcPE%O-{WboIV};yBiL2D
z&d0RnI-}gBE2{_e>bX1!k5@L`E0qlM#Nsk_g<pK@{ax?asqanom4MCCH!GWeEqs<8
zEh%u^7$3J)NK^Ewx(a^z@}<2*0N{|I0<;`lR7OC?A2U%u<c%rA7+37cQLp9W1@ZD0
zc7|P2)f@YjMu2k=h~n%i7e{PWCdL#3so_Ey!N<`;>7A^sY`IeAb<ne!I_uG3${WrZ
zKd6ll#VZ>cjB;{wF@~JL>%TaH0{`|hamSW5E&85dfD)c#5CXcVqZHpL@>s;6P%EBE
zBm*0amc!jlN~BHGA5}c5wruksU#?<5Go7B8c;Ny2Q46_`U-V8C2qRIJbdos-$o#~e
zCsS&F54BimV=kVN-+w3nw}$~|irP%JmVIqD%c`U~WCd_{-J|B$$ig)z#(uM<(Wz_g
zT~|CRLQt%6lixLNQcD7F|KSM!^P2EyTmakcD5IUr(8N0`{Q!jW+FgVVlQ7S7Fls1;
z%`YsBP)Qal@n1C6bXkQxzfdjl$5=c&j7~lA^5lckl1D&UpQbtVF9K~Cd^9)^*XSPI
zn*M~L2Y@bp)oEFB!Y1`~#PyGrl<Gp6n`4a^mE)V<;S|C8kWo|o0bA!n*7$+Ax`^x+
zt2#Jv_v`O#`*UI*%kpr>H;K$8qHeN$u?1w0M^DPo<P${<t_43}3I}95CvOjel><NY
zsIF{1@Rdy*&JemG9~6@QwSmWBw2Qs%eKvRq5_^p;rSSZqVm&z0hUD=OB#@^{N`6~i
zjh2MUNS#X6%!#lKWKJ*ak54`uaIh_h0-<W;qh#pcc<U_olFDO65Qn!0{wtrh4&|Br
zn9<G#x^pz_e7}E`OvumI&o6g0<Na;v32bCNCwcLm1N}g^gdgHvO1RmV>sSBUaG1|K
zLUwXFG+!d?I~;fmx=6*<J#C*|e|7yf^N)Z~MIvEzsE|k~%-yE}Ug5<}Ui{0a(tOBH
z)(7yLY=hS_hSEa$+xG_VQz$W#@MPl4z{L04nFXIC?*VuL7`lm$*7d1G)y_3IEEJNW
z)L;6jP8+>EFy0uq18^5Uu%M669Ds+3i5tx9kJ}~leQV_7@eNIq8BO)utzdnf`n)x9
z<|3V)n33KPKG1b`W{L9V_!h?g@iUsfRTqrMDg08>bKVH7Sq+IC#<I`yz}Y!6*whQH
z!B&wCC#-Psp~yP!9bbxQMdG)C=f7RU(8;zdNVXI>bsoAIQaUq}$A)jR&78Ykuo`%!
zt>q`yW><DAIRoxvicVBKuG|=h1dj7M6q(<mR@HHYX~#Clrw{#-(EJhEOp{w`L|Nv6
z4Tt<<k@5LvHZPDXWlI*m+b^NNGxt&i9$4xP<gCc;{S80pTI*yBUR-XEWDcXKjKk+^
z6*D*mZcpVq;ryEA;Cc=;2zWmD>gDREg@wW)?u86AZ#}L05|)d1u)7zjtjKko0;E?1
z^BJ@L7Jdc>(o@o;uv|Cnt{<ts)#bRm%Yj!qTFQr=R^oT|t42YLc;z?GVez0S0OKoO
zKSkAhgq<u52xd09CF$@AupUIerIYbd#+T;yj3_T-*aL<;(9R2jiE?qaf4&vBC5_KD
zxaA-e=6v0U0*Zv^T9<k_1B6BLeby72XVH9--Si6fXzJ72#sPbLrrp;gkxZQ<XgvI^
zyCpk@wqZci^!TK}_|*_(`$tX5VstBzOF_o>GT8~^lantK$f-~4H<WT7i3Cc-34f}Q
znp-XBl-VdNN>+P;3(1w5_3C@Y40X>PPZ0{d6@+_1d23Hq14=IN2}nv4zIMzI5T6b5
zIN`_ysP)G_^J#aD8<a0gQ%x{|qXPBY%vJMWFg6Q1y-Vj5&2woz5RZ>ow~#Sd=YiuW
zx-d*}&vEqocMYShiDYYq*6s5XEP6wDiULT*Gctw_+LX+NgH~T(QdN@hmFOpq7=h!R
z%iQ*VyT=Wb7d;oy)`%&4E?U<B`K8V6G<XNfSTVDsePx*1c4lsleXrjQlT!6dExS2v
zK=YZ$6RaDJ6HMzQ7}x+mf!%GxP$q2AJe&rXIC6x=#~B)UP^nY~nG5eH+!O#xLeA3H
zk0T8ZhwPT61BBuN?$XvVuK!U57ooYm2b_k5KDc~3kt+w=>K_**Y|MPwzRHFXU`(?A
z;N?y<Olw{K3N!}blK=~_zLIs`@eH<Yv2uJ9B|IgmN=twDneZeRj#KFUW>T=wpxuAD
zR7BZ>CQWS<feH`DoO!7ssmTD=={g34u3xF<Cq>la;q}4SYB2cDpF?toQ1+xqbC#;g
zuM0|Bp$4O0W?iy>omd?pY7&5?4jkS!2$40CM+x)La8bpT0p8%nj92zG*o-=?+NH#T
zetX*+db+gduj^Mk!?P%Ykn`?X+8$T4fcDL*=P*Z}o!ud;pJDyZXfhc04E@c0?kD?s
z+CsGjWn>6Il(WQE^Lg_??4w>PLp?Tq3v9}OWt}^(werZG+a-*OF1y6RmLFnkr0bvl
zwBIrWdLrIN$&oKm;Kh^@6A(dvZ*!mA<ZTSQTMj!rdjjj(I3dP|{K=5BY`w92Ho>y-
zluqi4ZolP&L8a@7yR6;l9_odGb>t0(W4O)s)qqfgZQo4vXzcGy!V)HTO}Q>cS?}CZ
zYB!_-Kc?2+GB7E#O{JJwiC$+yE52&(xQrYs8U6eBCmXW<GX`?hbW454;uK*5+rE#L
zR{=0>iG9LGCIyYE&H89zApu{4rXf#x2gIqUqF+9DG-%YKHNt!j`g7kI1TjDG{X+V<
zD_SQa%SX1Wq(m{08pw5)0WW0JcuAZZ^<elJfF<Y--z?<@%c7GqhJ3DlFlUEQ8pl7~
z4csit)P`+iT2`*nC<79^H28xOx`+qAH^=P)qu%NcmxHS}lI?9u6lHHW;b=B@rslz=
z4JKsbaR6{uDSUQ&hPaL46!Kg09#y!Yy#tPZ#*V}#$+TV(zk&K3^?_9?geA~tE!N8{
z+i?^~L|%J)jy#|aeh*+^2UK-{G-bZ*+c20)lV4Sz@Gc=ChtuZ*ybn8XgXHLGk+i0c
znN{cJ<m?z0oo{gMu<RXrn4@uVA5g+)xw|_%66k%hiHp!3RWvxp&b9Q)k^dglCwo^u
zL&VxWleDQKmFe2GYdIY&s$jp(mD&v0!`3TK|22jRK-KFhof-4;@nI$`fo%ol2a=&H
z=D#LZYr$$7>2RMIU$)Mv4wFHM@=Y%OVk(vC-vAVSp7xJpBJgJxoBsl4z{5}rk_Hd=
zj4Fz{Lp~h?6b7BfWOP6pZL#Q;IWw#WyTbq9lFd)DrNk7gqQpF6OTBMy`W6|pv>jr#
zyZwy+;07T8n8xK#c9)a<E+bcEXqut$WPMbqT7_kdDuA}1=@{&i-i!S=%wwO;iL&8w
zI|H36AZz!)$g1|VK#u}S;^(mpCcAq%e-A$}ye7?(1yU2bh^@liF^Q`HxXS$D0w|^W
zz#jeBlXCFCH?0BqZbAQH<aNa&OUjZouS`l?Hkr~ziZqUYqa9$Zuq-F(muuB_IOrXw
z!y5|$!`%AUL4LvoYNbJX!B3EXU>dX=V05_Y1)!l|KOwXF9$^Z7r+?Ei!utF7Z~I*)
znnyMchd6(9zz0iHB0y2Z6atX*Tp6Kpxa_XJPyk7#;=kV7^9p4Kq>35}YZU+lfLqMW
zA2ryON}>OLrwFv747>7J_}|9~Zg-gW_52@nltN!NEFV>}(#Xkf?E?U5HZ3CnCF`$H
zsZgs^Y4QOtMDPNXL+k#uTD5^<D+ZDBlo7DiSAA@}AYf9rZvPwW7{ShGmupEN@%{U`
zGFaoI@)BBE)kiQ_XP;6qIM_!HoDN?{=HJI)F!fN3IYR`9hwR^TfBY|idBJG|{>)yc
zmc=q|cL0g@BN=#fVa~K&`og*Ffb{^XCHl9tQ7-^iCw5``nnIOjxgD!Qz4rAMJr`y$
z`tRR_-3dZS*9LTAwUXNjnC0xqi>2o5x$uokM*v$JpD_d=@D716?IFnW8?!H7nN~hi
zm%a_F{cETE*9HEdAB1>>Ic>5mmkXhJBwk}#-U$|Axm+S>)i(R?$nhv!A*dO0`8n^M
z3k#!~OwaIQMhSxq{>_sr3>b$(YxNk_laxU_fZ%%n{=L`!h_ulzso_84<us1S7?QYp
z<MMSYSoLyOcTdlw_5NB_8~3?-yX*&GU|FR9EsMUBxyHo6Eg;u%hG<OG7x*PKsRCq$
zqWOHuBE`4=dRz4*QSd$xzZfC|X?oLzGo4^Vatonfyk@jr|4{0)|1+H8o4?YA(kP3)
zGKT<jp)6F5JqG$h%k*#3D<$hJrR3!;|KyoZ3T5^R_-zJ^`zWNrL1_{HrfrHrDAVcI
zL=pW3%eIjeQ=)p1#&Mhl@G8r17=SSwsr;KYAX^)1v^@mkITK(d;H&^3>~dAj#yxLZ
zY_cC=@%{w_2T=KcD={TUqXJG~6}W)m*A7n@@B3{&o`|5hvSSF!V*fYtB%W7;b}B$8
zfb#jmS3LdzQ2Go}2OIT3NtJ6SdnuWcJwM6-peS>I3KdYY0F<jBP`v!xPgGATPyjU+
z7?q8~Z6reiix(-1%rBJKMO6p-xJ&H*%7C(GZ5NKs0HntZ;UME1TvQ-XDgFPtD)%~V
z+f1nsJ(or6&5j<Bg3<wDgZ>Q~8k*uvK&L&_7O<}xR?ZYb8?FgZyr6JnfZP7>S{X69
zx0hI$##b0@dTrtE)}IEw!G?1RkiI&=CYns#tEurA&=M)EZy_ma1_;+G`?Ky9+JL_v
zcLguy2NL@B)>387*Q`RdpONa@08dOe{JOuFnG+d$qw;lrpxHUD*Obti7|NqGG1MXE
zHz<%#q6`CgOylXdb@GDSD}e%j5*t%bWMJp)W)2>MZ++|A4}}6^8Oe(-6b)6b`N1Q`
zy;d1r6m_Of5SuzuWeR}9G+ugJcUl&#W|hXYvUl_0YjllYJ*v(q7FCm4Qy&2k(ihJ<
zKaUPZ{XE3Ab{|~MPb>6)KOVOKq49k6WNz;k$XL0XX1!Fe)S)0iqrm?cb<mYck7Lo2
zif>tOH&2B@j9rguL7>NX0lnM*`x*%B-~vvbB{^&x_oZvBpIa<1vV1}7_Qea{`~?q{
zvQ9MwZVEUF7mv6_uOT6FVEO>MSf62JWTZYc1owadFo7#pWZ_#ytQq=E{IU6fv^{}C
z$=!owQd&kvz@wc|E@=5x|3YO1XXH<u{`7R{gL?dq5Kw0G7gw=GTnHC}@ViYd;d{&+
z9GO5y>P<5Ev8+t}g8Rre0CQd~lzoHhiDSUA=v%c$-T@WU18m+fl@x7sa#2(j?(rDF
z%iCV$dx1tq3^diCtqEWk>;4JYD2}xS@B*Mhj|a9-(^VC~V5MWl$dnPVU_$)`28#n&
z!e~)Sn*V(w;D4SD_&<J*I+pru(d;@WM21^`m)Sg%dx!f3DvQP3oU8XPd^c+ca*n5s
znirD`ap-$40w)V1CIc*0hniSk3PK~t3j57HWYll4J+18rTS(;Ydw_XzAtF=TXeJKM
zZPo!~ScB5Gg|cutG-zRZ<r7D>crcHxZQ+iO)rl^ST|kuc(&1=Z5FB7s`z)KGFr_Et
z=T@STbP@Vw08!ykcc4{qu;b--d2UE}bF<N}``wQwlND@*t#>ZuLAP&nUHwdb3eXhp
z+{PYgY70Q~h0K{ZcIIyGk<9bv7S7*$a{S>c=rJ#nEkl1m!7nR;6yvF?-{QJrB){V*
zzL}tyTu^Xrb9+cA-`4}s#Vwx96<jGq7C`pWM4VvwZBKTO{(!c{lM{~7G*I3Rw9<!?
z1~62iX)eyi-TG0{hs^!`qOlV#s6|f*qQG#bFyIvO+T#!IP*$nmweDdeTdP9TPQ%~l
zRv*Pr5&a>;KNt9jO?{ypYEiXng$>xuU-F3$M~i2rh8HMB&v)~}l<g6nVM@ELUPOp`
zyAm?hJ1hfG1fMXrvn~2oUsm)3=V8jr_s?&1!@Bh^YeeYV_1QgB+Lv9p+wqXrZj4aG
z>ZR!FHsJa+(XqFh2-`7`>We+>o;_cDYI=KT;r4{}6jr_fd(M?8{rRciqhlMa!ZH+{
zq2|Zg&XyIrx*ZF(M;t$k4B7K}M2r&Pnmyb^em_Gzza@AcIBoo6rP(HR{~7XkP(JKO
ze=!+y0$^1-mvYl_v#&8Q6Wf-Pp}7@b;d2n<cMAt7e4}@1_Y7eZ@}hU8uc&`UQX-F#
zKT!bwiC)ckx41GQZ}mvo<kk7ECR1?OVn_2sqW!NkL~GUGa}tyWl`5$tHpye{gIj}q
zZDDm}w{EGIuN%!f*N5<Un%o0!$(_faUL>L=>)j7RX8i^<5PJ3wGIs!?#|cS*o@a$6
zKId=&YFnq^B&INgkyRKlx4C7+B9DqSg&(}H#Pv55*{tRT)uH(dUhI`x&F(WyD<Y$)
z=(>js10u)13hC6h$`lg~3)Q%Q{+09YoC#o7v_+@=iQ#+P<Xp+7P1~`)gf+$Gdjnxd
zbfVxohgrHBz~*hPWAVbrZeJHU)(CZeRoi%|&zaYlmI`-l&rXMw+h>)csXk-^Cu}DH
z4wSa}U%|(7zR<=6^lC%Zl38SJ^U+PAQ$K^}Y|N8k>_)_ecl&<QH#+eZ^#A4rOr`3U
zcCt{Q@NTA~``WhOn?6d4rMTR<_%=mewAS%&XwP$in`pOGeu8Qj$ohV~Af>dM!S8zc
zaz@wS-+683-UQG=4!)#6SPYtP1J-|H0r#2xG->F_R^Tk3_!uy~!H;=Fd*{}r3mU$7
zaEJf(ezI9RHOVF07O7MyuD@1Wq>Ft{67>?ZRD6akVBeG~VQ%G~C=RmjF2{GWZv+ik
zmM?bDO*a0(zMpb@GJOA~e;JTrSXs=N;?K)xUIO*3@YuG^4702`Eni!Y!T)HueE5Gi
zywy6){`H&gtLL2d)V+I(w&JKfr+QRz0&b*UvLTWRr#CyHuIr&AspE0B8#E?z2~VMA
zQ#D*y<JRCR&ejsGLHsbYnP9wmBD&-!johyKzW;`H8;fK(rMEeW`*jcBk!|iS{hS3T
z$lGgcUfjFejOOvKy6WNIj)zTX#I<=8x0je7JWdz5j#*f@@xyH`YT+8$-RkFjUg5Mn
zRxR~g-COeLI)mCLoeK)SADhf*wD9~uv%f#^M;1VH65W=;VIpJUJJa|N&zXf@<O5(o
zUUYU?{_b38<&JFQ+FDyn_QJG3JKc-3rOl-sy3lM9I@yy}T}AT<!}F1z<Di<KP_pvZ
zv{5<zxOYd22P3Eauemi|Y^Kzdul))JE#${!gL@Uvr%)VK)uWQ$#~>m6hAb&f&vEez
z;>#FcXr}x+d%SCyi2J_hx3rnMw)#?Tv?Gs;Y@!=9XAb`&eojShq5c`OkZb;YoI*`^
zw|A3U=%5h6_J@s@?m}>)bu`-GS#k$_xIYJf8faJP@HDQh`l4f}K{W&@nP#7D9CiBQ
z06l}U-q!r5{R8suEH`6}r{dJmO6lvy-`HBgEJ3<508^*(99?7Yl1s~@)H4Q!`6(ZY
z(x>UaBR4U8&3;88C#E>Wm^{o6_3bgOCIFl#RowUXNtn4qhfcfn?ck5!C1XJB&i_pT
zZ}fNHiUifO!gisB0fCY<|G!^(5@f>CbqBCY;N(JNo7}XK!4yLXn?c=|tj$w*fnV<1
z*?R>%DniYYSdoj2{t@#mrl4c6Kd;2G!oR}AaCaEq+2G1I8eVX-Z8dwQgd*%|i-o6L
zy4s?fg3&TVho;-)W>s%<K^#_O0$3e#X4<8eTm~^p-gGihkue~WNFcIm?v{F$75FNK
z%<7{0q$pAV$<0OFWvJvep4Tm^I%7g~ifaM;2&Z$Yv<1jvp5ku9q;#=Vf<^|323v6g
zOMNXNPZR?S_^=X}c0*)KD;ypllj1SU?ciqU-0kmgb{1f2Uf3T(OG{@HD=R_^c-Qni
zIQk79UcB%q*Np6TPY}&3tCB%^cfHts*=`Q4=-L&7tswfthsf);6(^CyvcKh<PyAow
zpA6L;Q{I?Wytf03s-2_@9#xxhK@mgNu0Rq)mb1|}_6njDpo@6UAF|>LU2@E>4(CB8
zHhIc7F4i?}HG>_%Fa7+$Yx%}v7PszeE0rFSS^AM$DUAa}{)EgdpI+wdTww4srJaz(
z28YZ8ALl~c^0#r(Go)_6pEU$PJB9I;HOV1*xwNSP5TqTPS`>GULi@}wKR*qwBGysC
z<Z+3EC|RX~_Ps{f#kTAH#E;|*22B8gr-3H_5Hk|822kU9W%>0^kte5GK|9}0Yz<X^
zVi>+#R1gt=n$^QRW|NKno-0P&v0fPajKz~;pRBD|wP6@N^4Uc|PE>X7AW}dNsCxMw
z5Wsi^`d^-Vbh_oDUO8Ns^k3EQ%-7YQ`LTK_=pVD5wK^{P+M^R10s{xz6)s4vL^^NW
zUp`RCUl9^KcQNktH~}a!`PZQ`x3VM3j|v*yX!j)m23|E9|Lg*4EmMLzj5a&%R(G#l
zAvXI9iv;%)PN?37y6K_bEvDgGp8Cu6LMkSbpNN2Nuym4dk#SK8cv{BfkN(-=I-H9S
zh39YCY#4p1g5Xy}aWLP;OHkfd+GszxZONQ8UUs3FbRS;rEX{pgExAuy?@-}ySC+{0
z_pI~{iOY?h?y-g(a&i%ACR;dxKUTADq7N-k>ja5dZpSTb05Bor7)HPR$cYv;tp;*V
z9zgskzS94BLy$LFcHw2_^i_-!^^Qc>vBOrrfatuzTdRH9VDDw)V@ciL3Qh~BUoBqL
z3-CX?e1GNy;(0<o=X;!JIqc|?c`e9y{&G!)@v9c29bc%XULqW^2S$V+KceayMq{E#
z&)BlHmXkuc009oT@G7tugjZhfOvGgK05otr<)rwp;M6elAdRX&EER_Z{v{IT^!u8U
zRszEYNW7fSNz~_mSg3=iKx2Vn?~-m=wRg9v(Ob5i1upoIVjC3ze^3d0*3`bsS&?Y_
zwvEla{6Gw1Fgl`p)ojcsRJ!OQLgbHjd$q02Jml{@E0L2exsg^0&RPzdKmnliSCMCz
zjqHLu6wWa(nNV-79R9i)y!C2t{+ehqFAHyO)j2pr97^X(0S6mZF9TTk<c)a|#Or;h
zO#=~&wz_I7>dLXF&#)F>u>E`??>=U}tyd66$c(DxYQ<-N$L5?6f*_Q(buz=%5L2C>
zk~qA3a{e;A$Mcq;mFL`U30c@DX|?a&pH$b4Qs26OP{sEoI4o|=D*`7T-}ru?zghMN
zfzCd36tCa+yX{}odoldl$$&*Sbq!>=tO}K?tfN^sTg9jo=`@=$UIXqYtLWPPg-O`L
zXTa2m<rS1FyKf^2Q|@Q$JTIk$Vjr=~@yze@;j{d5#viRi@Y5L^Xpa$E<{Bv{H{5dZ
z2_1!X9AG>-hJ2<26HS!!@H{C(aUXZz6Lh{#2D*YfF$`R;`K>~Yi^iJNwNxRaI!<B@
z>~0#nX$5XZ&%nbN<2~8Keo^eJ-%+|n8d-v(#S>CyFC@Q~upyBJ+!o<IFX|tqMI>{6
z^BiJZTA)@2U8qyPiPmFfHnGcA2R;;_3m}F3VI#Uz0YVDm6awnP{~Iy(MFY+<W-pA4
zQZMQ{%S+*bVxpp46?%ouEkHbqri-Aj$^art#lXN5Cr8HzOht=SD*RDiw_d<D%X4=m
zi`ouy;gnoOi@=d*<|Yl5cNa7yI3n$uD4;Y4%EZCnzY~=*E_B@Wc0)V#Me=|sS?EGB
z-x3}SfF4yqwRrDm`ctdq=4L6g2K)Cwm#0-^uKv$D|Nr-&`Sf-8b&KAX{vV=p35R6s
zdfPb29WlRMOS2aDd;|q39f+jiRV;vrMWr8}rx0WcoY79rvrA1)#Vv#MWq{CW;tR;r
zG=W({r0aoS1N5y6AU8){6z0<a&ahSs->q-itFi8|x?qU`kvi*zNIjl~<^>~_vgAea
z51IN;JPsUuDB_JMQF%v7Qh9MAI)^IZpW1vri;ut9SyFEdP`VFuA(dq;J3=8=ftz<3
zLfg*|>$KF=BG0HFC|tQI2&@4ufWDZ>kpsH(-2CYaO$#uwK;5f-WWz{>`Y}Gv_5UJ;
zOITx`#l*x=DOXa_D3JqrR;W8rfzL0K0=jD2E8<5V4EbLdr}!}5exoWQSX>3Uc5!}T
zXQgAsa;C(;6%HTq1y%9^Cl6DfT8B(8)Bk_0nlr&1AyXH2<3-rB3pgjBF+!@emrGcI
z|5)IE9i{(2isk=t#Qy&u-%mxpUII+Zo%yr$m5GzxMLuqv{S!^I>!4vzKm(ivX!*Q{
zZt^`m5{6fBa8W|HUt-ciqz2wyy)Hv!OZj<gz<%|4NB`<))|M76gTcUZ2W4nxK<*8O
z#d0Hqgg#IbAXP6)`rR$&SZ9BL&tW@31}+=T|1nKPJ8I+x_QpAzwT@KLMuCbL0pV`U
zE+)u!lpR~I6)3Atd4ki0RZlgUaG(X|7VVjaZ*c>Al<(XJC<cac^_evgoMO5`f}5=O
z3KPhNN=12K-nN^UkHVy^I!ywoN@J0-^Z7O8pu?J<G2K?+2>JbC@x2}fy;+NNznxjp
zxsI?7m?9wJ4>%YHj~p`VX~`kZ?0Nc?l8O=BfF$#Rh5vgqac4n5?pW3<<KqUvtnYY%
z*&<pX|MZKSLm&Hmwfy`#4lc2ejzS6%$v>CF(p&zk<q<|lE{)RivR(UA>!c)oLCE~q
zGbtjc0qcs_J#ujeS7k<}TOKe6xBpyt@Iql}K@D8q#m;>!^L4>EB9UWOV;76QVUiEW
zq*T=3PtHfa-N&M+<gKdlz2{5EsA>;N`2Rv!GWyl7EARl4@y3>L%Xj1?WnRz+tznxx
z0fG`yX+!<(6*{1a{LH6@^X{Zc2sLt}iMeTRS=010NZ4~0ALzOoGGRGH8{2+1YM1zM
zlC7ovd!AU)vIoE;3(q=C@#b=1q377@mtY^YM*PwFOtZr%l+V=hME}o5Qz)9?{NS&`
zb;wpwyTKjnzA?}7m603%*A_;^)0c&GIhhAD&Y>`0!@2DslD^oG4hLZZYU(utI23Ih
zfPd8zP3`hp+2k~YIcaG(zaIZe*ojJ6`6IB1SI-bQem=y;weREORs;EiZ&+oY(<iy^
zW7;HEv(B)M<Qh)%Qt`PKZQRKE?a<-Ey`3}4>#X-!Ia{0UBi_zDD!3ifWu3bpUq2la
zkM@c%{er%I_t;n7#8cwF_Nt7Jf_=n0#pW>ba<^{Y{nprE--+597`G7;L5i9p87Dh0
z4Jr|-gbrwgyqB?Y%fVg=ztEG%<asRPa@#0N2H8SPmX>o&Fue88pi7Y<_1#xOaWD3)
z^SbvX9XFcyVvC0tH7KkWs-WJ)&YxW_{UPlJDHDZ_ntRsBH(7I6y?R2dUBksl(qxLm
zRsXYCK>P%Ip%Hq*&YaP9R%Z<;`xX)gVz|V={Z5bD`R&&nE3f%qsch<~FwH17W9*)o
z#Kt_R&7Fjy*bZHkeqqve@<Q`NdkUL32gy%B9-lVrfi=o&{9GHL!ZT)+0!y>h^nwoB
zJ9cFN?~6^qrHOxKG}oKHP~-XksL%GeowHngwPkpEZjyV+{@}Zd;HcZFFd<~TzEoJc
z<W=MZ{(#Ye`I7wuRoVx4n<bK^@6pS<F5`mIhGVMFBVT)cH|D5gG}tbX^(%L-OT2gd
z7krKF0r+ux#Y)v_U5Tw#<w7Hu?85|Bdbh((#}z>f@nYUtaB2Bb;6E-nPJxU}?tu>A
zB8=Oalh06>TLgX(-&^Rh(PhcVNYw>2TL&V_Ul^Ij5&W0=`_l$}m+7pKtz>Ba$&%E|
z$Wzzmk&L{P4Q$q)UU{+fufO>#BZw6rLbHv%g1NI-!HV%H!t@?C<PRHl#vFS=GtDp4
z?t0+FNDBPp%XX1<Y|qLS3C^Gqs8I1c>QZtpsyAH3jnALGqVew+Tr4r^#RZVp6X0OC
z+(NG)r#9~DMQT^qI<P2Y?-|lt;ERf>mOyKPGDGeEMcjJ_HMzC@!ch?c1yoQ3q=^)f
zqEbUuU>lUKpwdO@Rk{!$C;}?IOD~b86zS4cRC?&Wse~FJ5JEyt&I;`Pe9!ZqbKW^~
zX3l*7ILw&2?{%+wt?O5=)%rT=^J;=9?5w=?uH08-zB1ReTp^rpwo0&;zM*+&a&zQf
ze-*9>`AKxtu3cB_S(`&7!zkwt=N#9ijA37{dB5vluhuC_f0Bzd`ME;Z$*hs^PDdkw
zrt`Gb6P2{;E02zr)Aw;`T|1RDa_0BnH(ZEaD<-l1DLlx|-<|y$$W=lzgF$E|IyrS}
zyzy*eg3@Mwnd3G`AEf;iI3gqm<Do*G_UGDDwO%Q5W@dwcMn|CYa){Q}Z+Wwu9^edy
z+!O-O_<!`T<ixWPj9S#c(&is=5gc;-KvN(+JP**Z$;rt%S;#;vF#c%!Skh?c{6-$%
zqf!RsIPjCL0F28w4CaQY(Sai|3mnFCok>qij?79*N$~?p9pSu=DMgYo3}PYf?-aL~
zn$002O8DRmu&6SpNm+vmn`o1xXe7v<4~m8yi3iM~5;Y^EltP2@pQ1+smcX_0|2{nW
z2T1w<o?soVEr_}ld6^C5+Q~RGQYeUphD2$-Iz*~lhnq+q@RJasz-SN+^-oL)XY5YQ
zFBjPmrx8sJ)R1@;koVUI60(FG^~A9Q>D@MN_8;lp;JL$4sFD&f{YNPD?RMaW<41MC
zB7#Vsxp)vSRf54B2t!D`)&<xKP)q5E%bt}0N8JV)>NYn5lyV%0bL{nd5V6Jo{%yVu
z9A?m+N#c~q6~I4zBO?^4Q7llfsaad+CEcfi2)#J~$u3i5aA;(tVvM%pw(0=}{!Bzf
zq_4Nv{OB2A`yv!{__MD7px0QVxW^bb`i=s%oc)mS1{pJ4l0rTqVpyR@!7IdNB@XCp
zkX#DK4^WNEfjh^DF$LX7L>pDw#nVdp=)LPZbBSIZMAK5$%?p0xfOZ#c3Atu+2=`4H
ze|~l=;v)3Pw@!-YGg&<))46U%%B>e;?*3h^nF3v)0p-rqwwR)Rq-gv&VX(K5$3lnj
zr9uzCwKLWH-u4FgMQ$#C|1>h|FBszPbqNUzPBSrGn_TK^`iE~ysOX#xip}S@=E$l6
zqDf8K4$N+n5XTwZw}c3ppk8E$yNSg8W3MSt$SZEWaWH}!Z|<_Eos@*ypYC0|UvMLy
zaLOB&^q1s)`vT3B0uTHfE4zPCRLL+9g~sTm@>|niG$i!l9!f6kDYLzjIGrZ%4TOey
z-FMV2!NX||A=r5L)d{G0QdV%7vL=XdvVULt&{kvkN9sN%+7c|GoFuk@L!h#~%ih(W
zyierab#jjbydc@Kdv>vIl?$)qABu)%cMZt8=9E|xmPb9W1XS=Gpu4kY1tf$45FfS^
zhXl`bS5;H@20^=NuazCWDkaEJKl1+g0ZjRh!O?XH7ag3TJj=V1S6~628`q~%lx6ev
z<#F)5q(k&K?ruuzi4!M6rOv`NQEb#!Y$ZvC)hea8omV`vli1#k9*%;sEL}EzbM1!M
z5V}zO8iq!P?RnRL587yehwO9dA$=hDbaAGGw+gCi8-GA@1o5-rlT$qg@+vC_MK$we
z{B!|b6cyJ2hRcfj098HBkFw==m$EFGh>zo+x9j!ine_aTTmZl_t8#kGCJhv_et@l0
zMXnY$B&AYDX`wgzRJ-i@g7F>MnB1&<9r4Ow9ueL?4f@NB2k%~-lZ0Yk1zV$1OVu}k
z(16V!|FQsd42OAt6l)&%E~tR(@t7Bs@y~Sc1M`Z1KA$Nuw-oea#S25&B>rAulA$*G
z!^YJk`DO=mDknq=iV=Ke`WC!>>-VXp!QYbiF@n(%=Yx9tW;nbi%%|9s3tsFTpx-^6
zc_B{rZR%cSx)N*8VZ!>D?>VjKz-t%bs^XG5W(Pf)oa8RBBsp{5&UNTs;;N3VYq8i4
z$@YTKfJPBEqtT1a)HatI;AoT<CN;~s6eK*L1K*_fa(E$ZXTBjXD7nDHpPydUN7)d(
zcL~s8nRyNw8=f(><ze8d(VW=R4#}ypci8hQD++jhL6>g&<>sBtKg6<Q+U#9LD^vz(
zPkDR~;h#@}!GbEf)dQWgtnB=-9_}_%_1<7^975NE2JV+{iUr-}m4N1j3~LmbKN7GE
z%SN0uWo5p(4X(^@PwSB@?hsm|d9AEjJpSA(X)|b!L}3H*>)@S&UzEGnz_ge>WaRka
zl2bR?N!uIqD}BDc&9Dpm<5z|>8XQJ%h@au@8u)@ge4bhTn+?T%eE&;L)PYb^Q38rQ
z4g7@+3QlfDEWR<8RI}&K_B!>B?O+PoVf%8_lb8}Iy~z=uaAQQ*Tu3WjJ_-8v6PO#M
z@Wmi2JMKgNiJc0VmJRGbl2aSD%_Jbb=rGr{<O0dli%@j-!n83QUI$IO8u0C4j6R4e
zyljzkxuS{6uly_?YR}!*1hYDS;@e>py-i~`D9TSyS>1Y9mibr8A`8>`rgUjfQTDk*
zXD(@>=`0R^2sMo@UwxGQ94xDV3hase%6s626(z<seWJ&KPZVW{abOZodfRNh5fTGG
zGc<ifxw6v@aILW7+AVdv1`Nvvn=F$HqOA@lqh<z}j8{%cY%QFT(FOb(w=x?@b{p#*
zuumBB_utgZPckI`tc*^!vU^W|upaK`$sGfGK$?nPY`MSs5WjUp4>~M~+esX7y^2ig
z62K3S9{g~d<n$}EekUU%9<ed36ql2h=2@UlS;vaCOs_%b>T;&FUh|CI0F1o8tCUOE
zVp(YJQ;TV>(Ozl6zER$~^f6&aPj3fHf5mq-^|zOl{hYyamjV=*BVex+*GKLv=@2E*
z4x?p!Zcv#uFM>evk7l3MoKRQKKlkfYJ5TI`ph5^h;PJy|2nFEgAU#FTF4anGBr0t8
zB{nke3YMI)_Cv8*JpbOnF$|DolAL7*mgt^Dd(-ZdHi6;uL-p%}^MUx@$4CTbM;ZZ)
z<dP7_1g5uY_V(tRqLGOcy9>5v{=4JT?bGD_=??pnh6m3~g}K3HCLbOcXgynk*izXJ
znc^DfE9N4S0{7NJ5F*wm9G`z8J<l<rcu;Ko-UmU+EC2C9erpAbt-9&`;+locF^*YD
zZXlf`dpIX5zzOd<hVrvgDZ)D10J(iyx_6gE5R-ny$+_t-`~17zF+b-f8l@HJ!w6mb
zJHt&0fPiW`<wrDe<34hY320=7Q5j7_O556GQ_^z}JrWnWo2<xm7LS|ZBExESBgQ-T
zE84vAoi0F38HMnzG-KdWyf{Y8M9NP|Kjzpk_-k5a_<<iuyKU}f!^iS8?_eD{v+-g?
zVgnAb&4S>eDC?B9H?l*fC|(F<&eMuaZ{6qI_p47_29y(zl`mJ761|kRbQ<@qf%Q|h
zf19X>h^hQT(w<n87?z%~LmRPkAG*G1UgN?`);45M@n|Ij{eC<}#CdV{ICCah3Lg;Q
z?7xv>^-2x)_M6t$$JtU6$zS}B&)ToAFPYvR-F*9V;niK0rxg)Lfx3#^)VkiE=$f2X
z*=7(jU)eUQbY&t3*%XZ+-L&XRK92i(qGmSRY2K)~>HB*HnFhm`xRbVO3=J6xMX4v;
z*pvS9@$^Q@9>_ES_U~+<NXAxT!-?{G3vSV?8ocgvE^yiRC1S*gufrv89gh*$Wm8+&
zT{*iGF0R-=bg9lV%iWgC1n7hO?D*sON7ZzG#vM)JZxtJDm9dNt!)HdT-9qs6)YFJv
zuitQze-cq-OB$J@O+1n0$TaW4GT}+^-t`_=T=E9^NH5__^(^TDv3A$l`9-0TG=B)=
zJm*{T!||r8>~$n<5dNA0ruby-v)><p=i!3{Q8Q6D7Lgk&*s&QThz>4uDPCRuO8}zT
zo}siEW+XK}IHP(tnlw*<)(Iy1k6=P-SHIktm28-PoFTu0seDsE-Scd&w5%TTKI^h9
z<akX^=?coZMvk{U;x$K2O^KgE((W7wt<=KuR&Xju5=j`2AY;H6zt~7Y%`8UrPPMFl
zpCS7f&ono-+(<O(o00$ewXp$p{*(~5w)|)$`^fE5&L(@LcQ-&O(l=XqppS2~WS-iE
zzdperYwynK{L~+E&ygK$L|#+XH>LOf1@Z6O3$A#CILggC5BLQvW93*7Tc>bCN&E0|
zUh=vUiP5#1w7l6IBUd-{nknG6Wmkr;5vMo$%yuGTT{20@K4EW}ODX0fkf`iJHiJ&T
zs`Y&8dJkp%F0Rpx)OV^OB#rA%$WmqLw!N1vBGUgPxf=H<&(YNhP}DI~cF!J7?DxIC
z*ryP`v9f)gtk^c?y!M5M{d_i-sAsCydj=u~8QfXJe-TujI_Qdz<<>^r1M!4ie-op?
zBc+;B4t+Fd{q>BX!)f|9>_7bWL`U<R`VrUIr&3?#W&L$Rc>i~+f?bKxr5jNjBkbQD
zj*_2RrnelB1WM!(<MBduD96SV$#TR{oRae}3;9i|P5pEn$}pKdb^K%+1Wyqek8Ak-
z!CkCz8})#C;=}5F@q%3g`RX8`=1_1cNUy+8dXYmV_SYj_N$sDF>pZ(i5?4pi^^ZND
zXLNt?oNRs`(eY`crZ^-EyT;*E!m|G}h5jVLpJOEpdBXrDy~Sa8v>*h+EK1z`_<8)M
zCG1k!-R=Fw{HfaVaY52dT~jQ*^D&>-X2h8?O(sqLo)PZehSD$7!7Nm}e6eZE`S<2?
z=?U19fnkoSmHJ;pn7yghsOV}ys{e#I_HistQidqwH7KErm|5+Xsh(@w<E!Z!*kBQk
zW0z(_6H!gpAZF}#zAY}fbR6s?Gk~aMrFhn{Vqp6YDoqYU`t^rzoz4uLhSXdoZ8ev9
zn^8_515lpVTWm&m&nZ3mc;CmTGySjhQ2n<B$6Ts!#VzhNDtw=AVq(Occ`GqFZ>m8X
ziH$F1xY$SZQ+59WBb$zm$)%1<^^9C&(x=;~aP*hYt3NLs6p!&piTS|#V=>XReBW*U
zV>=)c>^Nr@nc($(lG)rZ+f)^9<D|Qe(10L{h@H-`%@uVQV$7rf{Z}|H4SU1fNzrB`
zTw?BTgOEOxqCP9ak;M0wZH~CLW=591fbbu?YYh0mEJRHUI;Nbj<<;<h3ogpujsM!n
zQC7D#j2R29qtDjZCZ4b$Mkul_Q#6#j*uLD%&$+u3p;u<t9a%f#vNc9Zvwjdx($hy;
zeA8GTW!#&sd`tnah9@fr_c{7cN(%aE&l5r|M?8W_?1HDG_RRF8{5@ZYx*&cb^FH<-
zW2XpwT9x*imEHlx!moqmx}9=Ls)vnnNGlQq-03k`Qkw#*GSu~#G$N|)0bKCy^p~4q
z=6+53Pd;3L?z5Qxnd%;_9CTb;!HTSP)jGuy#&DYJ#0C!Q-0$M&`u$da#NoE8!X%&H
zB&-g8>gQRR3#xf>ySbOANMO5J<H*1C0{Sn8C#wvql8W*9XP@9@C!giTmwgi}^e_+I
zm`*{TJU%zur-Jc7KV*E~Gdh`+#5M>pvB8CqG=>+%&CMkK`A>{;9KU;GrI+?D%WAhJ
zEA0+j0U>2jD-cpz#!t=PmDf~FagZ|kwBJ`JPJUe=l61~uSE7vAPi<qJ_F~!%8d+D=
zDvfbnYfNjggG8M5VpmQ2gN1ibdR=}u)%4zVq#^@;Jx8JO;aLpU%QUbA+d{=Q@BF}8
z=rzX<NK2+7xB^j?EpD~R9c#5+O{|BM3`Z`5yP*`_0a4+klr77(4$k_hZ7+`NDs`yU
zVzUUq@hxxc*9gB0$S>LT{PP+6%hpySMj>CCQ4_@iqMOO7T+e^KNOcYyRivJu`8-UB
zu`&2Dx{vNEIvbL3Y+^@WE4IM@(=J?^0<b06-5{2`eQ^jCRFIi2%)oJajmgaj9^|dw
z_WxqLG$-|1B4-*4XdP5D%X;EOY}5*&A>6UHyW!nE&S|-_j_3{Xahc`IK~dDRf>oDu
zzp)kM?bd42bUE#cOvNz--L*Bx3}`usbZD01^Lgv1YIZ6LY9%dRJ+y`o8%%q=-wI+e
z%}ioD*9-_7`q)^$CBaAnk>ZKj$eCe0CYNblFr?y;H!*XJd%fafu~}4w2B#u9Q4M(3
zZkN4Bs+s5EA-NPz?&gJ;?hA%ZrM6pdcDVbmY;V2>1}45yM`&=3H-pl)Mv%Nec36S2
z&y_=0jy@0@e=t>!V$fv-+<jo#ahqO#C+mlI9pt+U#Y5*6;CVN^oagKBjw28}4GzpY
zzJn`7zF|n_KVBw^@4xx@#wC2N81TRpRS%&ZRv=c?`}Mu9N&ZtdGIYoc=^X=P2Gn<o
zn?fibyhODq&*?Kp=jbj<=+dw!@@ZSpK#pr@XuRXrb3l6onscs~T8AYdb9!DmP%;iO
z++qtb^<DqbYRa`gH|uv2*~WS^XAyWmaxd{Mx!D3A6I>eBx8(p}I{RUaM-3K$KecM^
zZpxL$lVHjP8O)t6RS993mAr>><$!*W;y6ME@t%`&))eLI!SCmHy@4<TxQlIg-VsgP
z(jc$fZ){L3pzcBP!(s)rts*Xk(#iS6SSqwUuC#fx>eaNHCXZ|7^`u?m00Fz*;Dw@%
z=cgDM=lw9a{=ShkuPIw)-I2mikZb2;-()8=Ros#NKs7WnVxtJhXY=F(kEb?pMa?%1
z;*KQHELLA@V78ALGR?9>TsZO$idRqcA7Zu(9wKo$vqexuc{zh1rAN6hQUs6`DD9$X
ziJyvYNC#%QM>aCVUv1H2-~|AravoajrWbAJ*?j3lVu@}mW%jk!V<l(zU31*17U$na
zK!SP=-b><b%$_J*Jg*HNiQ)*h?SFHcVy$L{I{rQ+k9x6Z6WEnp?N%b!FN*Z>tQbm&
z)Cxr7QE6yX&j-INu*d2=Og24&x1-G!@^*FJ2xR_skN)Cv;)3|k;S-KlLt=WAXLZ(4
zZ~8of^hM9Et~xC)E=B`w;|;OXxnZYYmGy4R;7@Nm`(ca@d>gBsOcs9Q#(F*@$o_7*
zHVPk9U@;%&wmwmH8z_!cBkjy-&OHtk!J4@)(%dcWrsB9Ygw)}JFJJFp?mX2i2&|8U
zo`Cd;D@fU-^kxBLot{$$Cw}Y?J*1r+C$^?5Oj#y=7O+CpKH-&|)7XONKKluO9E^)(
zpo~8Q2M4%<tz7X1tXwoDbOs-u;ue%u2o4~bG=&{?vz?f2Y9eqqQ3NXrL*Aj+X`*f1
zS^9XKox7t%Q%Y%SWe=efjH!75>4c1-3$tL&-M~YV)h8}7VW6_2*ettZpb=zbcbPKl
zZNjwjeeA;0={Q!0oc(uRJX)T3YU!9O)%69yXEq<3*hfUM%cFebXj^cDdxzi>sasxP
za#;mPnAH57)~L(l*k!=b@sw%8<V7Nh>+g1x&B8h9-|jwNeR@39XB(q87Rvlwkb^oF
zcxrSYv<~8M86%!@;i1}P&$gySWVt}z8EO1B)#^+Gi@$k^W{_gK`@94^WV(fezSA3V
zY+`sSdRS&v(bSW}Wm=l|XVuxdsq}Q7#f>UI6#T(*1D6ZulMwV&kx^~kZq78ZUZHd<
z)|Qe(n1*M$Ar@bklHl5Qk&NNJZOv+@!3kJUnbm8b%OLm4RQ>7HvzmlXp-~OT<lAX!
z<Xn133N^@0^F8@jz;==~y61@X{Opv#(@))_>-5m9ERCGX3z1&Fj{-x9Ze%}#>~(&1
zuXnX>9ar{OmZDKv=GM}z=;PdzcdP;pQ$6UH2h(av>0TKtD3OrW&wg@!t@AVWb9v(I
z9p0RWC>fCJCfz_P2D_OA2EfV7T2n^W1Zy9c3^N3FHFZT&<T{z*kJHupQRtD@>J>-B
z&<+2vW%w8sH`#uQf&d0;*Ap%5>RpKxy{<-$oG@fj&Be>BdRrJAE+=eUZ|eir^L<nC
zN-0^Nt^ta4%M~rDwM6b1)kxdspV<Fgx8Xd_o#I|HhUlq|y$GmK?%ic~_E^;d@2@VP
z+|})WaFy79B+q})lzJzy4A}edMg`nEvOQwl%3BD_-WYN5`4K^{xXi6u>hI{5)$qn?
zOicJroZGht_>JB~X<#&hZJdoUnXgJ^>E$!3#xN}>&ga%3yWehjo%S-Sk%d<sukuSJ
z^6p96KavoG!YrqlIOuz0s)o^p)&Y!tnKK}j*3AuaE9aC?F9n0N5`7fg+iZ~6Qf;-*
z1y=2?amfX{@bZw>x+AS3(x2-&9{p|eF>2;8cADli@cBrIev{?O0awgvkrQo3ZNx_q
zE_Hk9?0DKNURHwqD8D<l**1IOj2qsMVb|CF`*$Z|>PiOGeLVOj$#mYjpQGT)C;DY6
zjzSBjM^n4!y^IRJyngE7GVOJasBlGV*Jlbi(P_k%Cp2Uyr#5YOIk$t|*CaVrmj$d-
zbwkd6t0g7!hLYHb#{Leb#2Tc!0;P*ne<K>GQdDZCYWbK_UMj1bSDw8wtZSOl3K&z3
zmE{d18k1>#{WH{!J-X4^m@?ioY=)kgs&)d>U1^owrL0@vo^>758ROjVmM}Y?F4;Vp
zrh8eAJwu`#1iQ`e6AyyEdt+yWek;%-d0M8?g*^E>u^R`5BmCCDregCYxG&}QPfr8o
z(_9MDw8HkD^&9#=#;49SrjasN+=U{a*Po#UI#SEP$5#r^1D?Iq5QSM~_If-goX6i&
zfXn{<Q^1oF>fMg%Y=rWnY9}1~5241}UQ32-bP^o!EZ!bWYz>vVyNS`{Z0@u*pz2P|
z7Z#`nRoz;SdZcx|TL1k!te<gCqrihyUMRTJtB>zEKbWWQkEu>*eBq-)qx@vSCTds%
z07)jFk_^=?`yF#vUGGO-oS0Ae_N}StP+@BAHK2C&?EO0$e{pt?d$WjijP|K(ncc4_
zE^-QVM3guW@S$oQlKyt~xEbho^+UycY%e7YMNJoUx?gNSZDDnv-F6%wjurSheQVkA
z9M2G(Ycshy-D{8d-QINw@h~VkwenSwg5r*|p87b*E`lRDN@geg9{ZIBD?7(e!UG!n
z{TU>8yRHG?%<(m|TOr%}>Gx_6j$3V=59B|Mi)d4&XsYY1t=IR4ry^f`V@M&eS?%U{
z<w?KIo=p@1`K@uVRXd*ytNm_}=y-`peB_-tp_}87p-<TUjK4mKi>l#~bMtuth+f|N
z$M1?yZFJhB!yj395?dAS_9)TKa@=AmUihc!SopMCmF>ueC@GyPCAInXBgusYT@$eP
z^EoJtom8WnqrIE|zMDypcIQQr<@E*)EiGVec-}-t7(rYTC|gHtMdBWsbt>h+bgTqo
z`(;*K5&V7Sez6x91~buZ&NomK((^Rg#-&`^UUr7(OQpNIt3&b0Div;AN*jCPWw7f(
ziUQ6NoY>9tCW*tte-II)pQ5C-BZyl^MxpR;FK?3wr`r9}UhIYxiKF*VF-`dI_)K`e
zFWWfr!+$#U-5G16phmHDFfE>~a&3&Pz|&SvyMCK^O+?R$k%A`5Wtv)Gws#DhQOT0_
z3+wCV>6z#Qh(mB}VIiMZ85YSIe`r~OS1}I3Hb*FTe3E;;tR?&L7s`&VegC<>d6l;R
zR{Qdr+@GNE%c1*?gX>k`gaBZM3fxy7h+XGsN>C^*A7ACuFJnSnFIZhHN!pQ{-qy-Z
zl3i9U1}>FJS^f&`!ifCoQK&*5u&Yuxx1CRaqxecX=cYb;B*sX=>1tYY3z#-BE{`DK
z(Utf;a2M=Hhp~bT1*-_iqoSnI&bd;W8J_cTay1-#Ah2ImRZX)O?3vHzOF{j*9JKgA
zY`h&T*>Wfg$fGvOfgJh#`cW&kc5~XlpbkqE<qwx1KKe>xP?vpna&j^{;SCXufV+h+
z@0gL;X(ttIy=Q6&xU{DQ6Oj)sO}Xxxa`k9P2N8?TkKcuP<FTe4rn-3bz=&)+NZ%R#
zxM0^uxC7KgkJIP-JAWoofGfb#ZSQDyK+G*AGfiz<hd-4dQ*^~Y+Q*gyCA6z4CFA@S
zRLbBxgivO4x(1q?oB2<tLEU}=Tx(Xs@s!Aj2K_)3*uRl~n{h5qmr2R=qm30`{XJy)
zt`)Zon-nk+mzT!NBWQrS7-a7Sn7(C+F68GvT&2UT>&kv8;4y_sF0NluQr7vqjT{vJ
zP*xtH0a(_?`{zg%;JsO<{-V7<su%`s1pcPcd2f4}5<!uWt~qCk<u4FmHz?@+cZwdQ
z9K>|x*!wkBsCY!gK9%3%vt8?bY$})v+U57Jc6ruY*-f4SFf)*Tf<F}+U?W!)0`A54
zq3eOzv%Ny{=3$_F=B1spukS?XCv|a2p&wwx*X}P&c<o5%zAzHY=lEBH%?_Lg^$bNr
zcM^*C0sd!`d;2=ub3FDAj2!?}7#k!>vlng5br^30)$@KIqcT=7O_1#+km@poS=kBF
zcTeSOXYpI_r}Uomvj%pOaq<Vr{Xr$*>gbHaHj(|mf`$&H^Lq8E2SyGrT(qPJF=K=@
zQNRlF?;rDpCP-Ig>3g|T@F3Fph8_)ta$CWn-ftARkwqU4m(xViD*y9o0Q1Qm3iW?{
z8{je?acZ#8C|{S9)J=t9+w(TAS|H9p9F90&5LB#QKx(0v00MeUc;4eKKbWr5)<C3Q
z4{*=MgBx75#9`+Sbo&#;w^3e=Pn~%d@y+);cr*NWY|(FwZF994L|kkOKK7uKLCz=r
zvz|2v3^4J4E2mxvUIfr9KUL=z8%G8%^)l5gy}kvIryM!$<N{1&qnA(b?Ri14y?ur4
z`q{Xq1B+d7Z~36|id*nNqj_C!P`PVhOfEZzIk~`IWm=$QLO;LFK;@%ULqA&H?eBNc
z+*<1gn4dvUY|T=LL)_5NP^bBT#Qlc}T95OwcS`xK{lwfU*q8gkq|aw)AbF9s((SjZ
z_7-+A6URd`;sp?waDiNYX3H^;Xl{u|0@(I-;HqyZ=oRkl;rI1_Bmg28=>!L8N~-8V
zZwzL!OHU;>lE+W>?Ua!2HkSQ~tKXYxijHL@tJP~Tv+&qh^)nhzvSM-`iC1!Z7V)vh
zp#ToYEWi0Zr#9TyRSQUL!5}O}HS*<|c^i`E(9Jj`d@5SN%q||W`Oqx-9AQ4slvKLc
z6)Lb&^k6%fR^4a+ll(4P8!b|9{C>A-8`0*q%1_nh4u+8PjoyN4vBdqvpC{kBfRvDF
z#@w7$9kcD>osOfg`hC`KqE@Ci%%XwGc6B}cC{T0y?@0^HnwLoA=9GD@x~N-|FbqT&
znp?JiB=0jaGO{@I4N{vV7i=sN4&0m9t^gQ#Jd!E#8z2RM=_`v4ViEtdF|?Da%U!M1
z%8n^DY%<3_g}q!}nSGV1*MEEI34o|-d(*s=L7?6?%6{i6cmRtC{0N`~9*nRl4PC_Y
z1@n%Voi@FpID>ZcXA5tPJx-VbJl1QK?R8&Yzbg)Xr`$vWa?Z}RaVA2pvns2N^#|D4
z^A@LNmOTc}Ful}jxZ1SWtcmNHOmg9FvGw+vhLx>l)s-VvZf!j5aMZ-MrzAQj>^>B$
zI2rw5tODMzDV@aRQdL=*#BV3EyVXRtp^*W;!oI-cfS-B6uR<@kNiNprjk-X#?@Hyc
z#;CfP+ZsHx(Mp8HpR|#YNYQ-a_d6?A0@^=6U(ZgJars7Nefb#gEsy+PYEit^*T+gp
zC*~Bt1}|bs&r*DU^8<rOZSeWd3qX}GIHpmA<lZ4)-e@-o0v7z&is?}j(5D|R&{FQ*
z9PO_%ZH0zs9$WS6@?hm30t~m3N9Kw+Ck3JhSfW5!gs1Hnkd>G{+`c$~rtv{Vv?1)Z
zgp6vzyp<hTw!0Y>1LywAkn2BA;WGcdj0TdW?o;wE*Rptp%q1Y+NWn^{+@Z8cMKk)F
z02<wd0%f!wfCRxN>+$;ZE1&F;aC>YNDvinG(nGA?8N(YNhdKv*-ls$upGyJjE>bE;
zASWyY4M-1^(*w^nHm^v80?DnsLiERoDrWm!0$ai6Jtx_Aq`9yb*b6H3GERcX|NP;W
zvy^0=9xagm{M*#g59$DR=e-6#w83@M9cKPV3JOQ+g7ED8KU?YPr6B(`cr3%gCT4M4
zz$&bnvQ0A$CJq2v39APHLMw0ov*YPFSAZB(UzXLp6zl}0wvLXK>Tcdyce$>9X!EAn
z(DDv|i&VqEPQ83<pXap%hD9|kJ@Lwf5{Xuu?Yq|bLp5*l%CX`xZ~xhLd1%2I0%(s<
zgus5-0NDf#3i)sX8KUFqW04Sn_uc$x77yIFJAj3ECrwmFLcROtR&A^srL5J{NChkZ
zL<m*pSwQUipd2~U#}uQuvw-9uv9VQWPmzQy22_|1n`VV@`m|2W13CCy=L$sVEuc{^
zReayf5%arq;DZXx0A>LT`^GRO?U6hV(V?d>ijcrl$yYgJyVF{x{p8KT|H2Z}i<44d
zsVxMoZD5F{f|zT9916AdKm_zP6h$h8y$IUxL>vhKMo#}JAkS~^R=lFE2p^epz3BfS
z-4|!DE^;Iw8F=&N=X*?(UlbxReBRq}Q?h(wP56XD@>il|+V&O50L6wps3;cXjL<*K
zIL<@&u6pY>@|cy=E(~-iB>+8opQ*n?V2rGAw^f4D71E2#5J46|5`Sy79v@=4Z-i|v
z$JX-!KiRj1JwbV<2~B>b`u=N3uC_=#F7Sc0U_mps)d++5CF&(QZ9PJBs2qP0L7f&?
ztz`v!fgZTylF+IRN{?mK^SR>U-hIvVAj)Jd3gFO@W}eQ+4uAjS?YW{$MOP<uxg(t`
zT8v5U5oe)Ui@QF%Vt<hmTrULBQ4G`R1(+)vH?@8vzd!K(i-cn@a>X&v0B>?2+{%>F
z_ySE530eHXu)W2eOP>2HdK2UNGZK<1%;xm$Ub?E!9LP1i5lH`34S`g8?rphjPh$NA
zBIR+fO<wx6{LeCU3QK-##Tju`X?L{SRkVq`k6qC|l8FQJ#qP=G(%_97H)3k`elsGX
zC^q#ZW{41_75u;qC7sEK;`g2;?VL_w`NJq&G74X98v&U76JW;%)IGhE8$h!lGDk~M
z2~b#M0G8wgHZ*Yw3Fi%J-3v^P#=!sy0tnrQras7ndj%!^2gvtnGA_#g+Z|?OMmM*?
z_2Mod=+{7ItNtm0qHh4sKMLg!1hP*6<!^9gL=B?+!?@PH&GZ<KBIz6Cq?P@LZl57(
zpFpwqKcEr<LvJW3%+|n%>rr8B0~33t2#D<u;yeA0(-bD$0qL8<%}*3Fqk!d8Q(&LF
z)^7gaDLp`M9q2&RLMVj!c}3PzX-tA*w@97km#OcaH_DvzHb_o)eokMCItn;o8Kb?<
z(UWK3K3=fW`-FHGvFp!1nOQu06fr)&X=m}gbsHOXs(VcV{l!UuCT?4y*lQ=*3r}Aw
zO}%STvO&y1uSESMo)!lt*n$UI^`qk`S47{#B^TX1YE`$-?*EViM2P|(;Z64`Tz!cC
zaHW3Wm-}TkU7~7lPy~HK^3}F+o+2!d)%inH0*VCvjiT2(0@Wr#ok&=V2_R6dEHEvO
z#_uQCCUE@iW`@G<co2X+@eMN=jACB)r_%IuZBAXC+0JgAB}mHtDe5!PMsd(%*DL0E
zJ_*5ApT3&PJJ6&XWH)lN_)O?e*<%-@8XG6%j#m%s4RKUC(u=@9E4}t#dC}s@^|9Hz
zSOw))Ij-BGFcn*YEzhWSM5e>Gs@nWkvM`m|q})B_;otBnm-N85yYh67>hqD3UUDNu
z9&$<F?{U&p?LH#3-6WChd}U|fg^L%V=|U#u?Qm)l_pb)Kg=8^@QSm^jcT*t}Xy1ie
zg>!K5Dd}1!d+xbVH;d_he#qj9nqhe9Bo#Mt-XDn5k4?aZ$uldGFzck>Bol={!Z-y}
zr`LUq@cmyX`QWK(?{saJg)BkBXO#FePlm=}TkJU5nD9Egptufj$mdH_TZW5`GybIt
zWY_tl<k_@g>^FYB`~*8-w+C8qHP=`)+bKFXkcdv*=_@FwVFPvNwbwOYd{nA*-?a`)
zNjUhIRLp0-Rbs4mKr7y!bK!lt^u?6^CY!|a%;>cEc<Ig0;paC=8f2`J#@>o_C6Q4O
zR6#rYzJI$1kH9#@c12=ZFqx-Pnj3F}3}kG8MT)caN3OZ?uJp?fhljq{yxw@uF0}}A
zNkx{IVSGB99@>lx@5BMxeDco_?_VBcEuEZ`QsExeKtOnQmvP5aZED6bhTic|K={Qo
z_3auF<(+8p(R*WOwk8$wz=1vJ4UiEg1?Voh>D>3`)UBUe3~$Wr<zwGmcTh`tn@_a%
zL6FVwj{46|IDHuaSr7++^hVyFge`<%fZ>{AU=GrcZu*_N<!}!2zAQErn?3!iW8b{-
zgNa#=wJe74Z^HFDDaU92hD%TDkg)A#6h*i`DYL<O?m2cDF2BG(sa7*Cs8QM!xu|qP
zf6rUhfN#4=_L9}mt1F>C2qANyap$FRdSGgFy03$igqiLQ*;ISQ#_HK9#?mvoy4)vZ
zk&JPo2ny3bU1>F=yE>1#G0QA>w8y^6`32N+*(VUD%?fO7%}cb@vpn+c<U?LM+#LL6
z!{6IZsP<4&jKBBjO#k*S<Nb}56LAqhHthm)#&JlS30!r&>1lt=4*0RR<3#~lJH~t_
zgqX#-;0;9T0~C?^@Je_eMWk+SbEVVZ!RjzTP4^Z0H?9MS7KZm7*$j?gW<DwAa?UX1
z!%sKCRzERWxX=6XuuNM>Us*3cC1^u)1I&f4YAzk{Z68YPk*sfMuqLH`XQs5EEtwZ(
z;&$0r1%o5LVA33+JbBZ9jke%76yr2$ZG^Ii^y&M}yb@DhqJJqOu4w2lcvLzjIObxc
zKIpMDOid7<%f4->0-t)+!JzEG=9Vh<@pOdQCocgsR=&N0Ollr@zI)_8@Y$nxZ+p6G
zE?Cw)E%qdM9-e06hF>Ft-!3m#0_FMdT@9pt)pX9VoInWny4&+<!<Fc3cOxCzuAX>K
z>^SLQdcUf?_=|TY-etn|_L1mF_7;iZB8Sr}ShvXAKJw#PvimI$tm<~*2kESm>~`BT
zm@ar^UNeyxZ4i=>S~cS4tv>^0ew;G23wKl3^PzPjbn5yiMOPjf<sf)*T8@DkXji`<
za0R$f@`L2bxdj#%Q7ivA<z_OfyNdW)=2q*(wEL20ho{+_+g!tbk3<AMM=r`|nk1Sf
zI!N**FYk2KU*#coP)jvrIJXq%a5f+^-#k)U17!c*3bD1%E*kce?FrxYP`zpqwn|ma
z%kqBMqS0IPjSs!Q4SmF}$1yT?=OMUq(Xj?0B2dS2io9LNn8br)3v<;niDos}NVhII
z1x3uScNkc1fl0(N&iFbKsN02lWBIgR?271bXk_6aQID-$@1$`FZAm+^zn4qp)+Nnl
zvWB#s)dl7okW7X!RgRNbP4k=guj_b%6CnTC>cDZJt8Gq*t`AjsYtOEdd2<x3KN`ms
z4%EZnpLl-;BxPT9(|b3Ze1BPj9g-Vz`jtgbu(~Ie8ZFWHX;611_2Zp?&bj}^St#@~
z)lP+RgOG8XM@@iM*yE=IMDQ3Tyt)7s?RL!<mSY>V+IuaHs+O6_tlSfKjs^-GJ08$Z
zsr>?h-*!{5j!WAO7FUGiOM}LqW0D^Xlq1v6BaZ2Sw8r1BYj0oKT|8G5Oix&8wGH!R
z&vApl{PsEW%x7l1Vrt509ud4+jjlAo;~(CK662|JOa*RvID5h0bXq=)bY~#6_5bK&
zg2V-Y049PWvJOm6M_)(qdH@Jw;*Ngc35M%zRGALobxW--tV7796T23$%!|25l^Zh4
z6UQL!K>C^KA9gAf#l~DvZsHm#ee9qxL_XKw{?=k~ZdbCZX&`SYK^*VL_YM8qX5?F1
z$RnA5C=XRjaTsE-SxlVz!m~cNwlk^93z?-5`^{>r+S6Bj1RpuMRiuX$!g=R`E>e+R
z`XWL0Ec#!Ul@Ik#TO!&>`@3D6fX><hc=mS1$8IY8%Tedw^j<=kt@RlkAPZ_yxK4Fc
zn-M@(@ZY)={ICDF^Fo?VW$JY{NX$!Cq%IBbt=BoF(Msp^er|1jrX+ohZhA{fOOM;%
zR3tdO&OstoKzW;GkxXCrYsp7!^}YeKA&Uc<LR6&dBW3-%i*rzyKd&07<5~cIc!g50
z<QBUi3&)WUo{;Q|36y-)2Ys5O?JNJGSiKDR-QI#B|8Yb3ce|<o!@vJbnA85KX^zrs
z+8HcCgRqZ~&<cdJ7DI&wH>^<?0U7j-n6%@Vh4YcNFE!0EAru`(<&z(Dpv9_l*)J9V
zW)AHzG%{LgIFjiK2J?d*DB3|0xq@;>fDLR3BISSN82X@3IzS1el_K8*6^A4wUl^=|
z{|mwDb?qq5_B~3uqVL~dnH<&VMx)<T3SixU6C5bwS`#{r43q+ejgZ__WcPO_n_^T<
zoe3%pCZ(O%(E@IHeLX$gpkj$9tq!N5(|)<quDJNpBl^DsX!oOXM^6jg^3nkU)^ETe
zY8JoPPjOcMF9uJwtDo={)DUpNHO4Y3GAiJs3IU;b>VxoYN`mblkEj2i)vAY@*!QD=
zE_`4Om7<TtOqLl@FL%|C-#prtu3(fPVr1paLkr|}gY>PdB1WlcjSb7ilf{UC=~O>j
z{vCgh<ImO8Uyi2E6!ZOkl5jo-Y#Ms8tm_Ns1bi$ui9-@JSqx#zv1wY|Q#FyyG?dy_
z`N?NSiK$EoS-8b;x<XkCVsy+Bdkg~74ySb_TP&aVY@5OADr!zbE_a5r=grP?DS=Dw
zcHzaUj)C9S8FAM8C!=WoPZm9r`A}raz8sfs0%*6F?$|sgo?q-LNP)UDFBWw1tA-yc
zQxA+fb|g$JJ)Ea`YXa4$YF9Lo2gr6)lTj6RR7m%!u9d<GskY*l5KGuE+Jne``Q&=K
z_FC!0aC995u`y<p;p@1$vY9iH&?#tGx-v^Q%`gto8p7Q<Xadequh7H(iiE|kf?_={
z*=rMeeCWk<P_$Z@!mIfA8`fg~X?%M>S;<>n>un+VAwY)=%oFTseCE@++K9tRDQYyg
zUj}@z1<|UP9GNSwkt2vb+e4sG?l!%6Qp{*E=i<fX*gUtL+dFADGk<^e;xgGWUOi*R
zyPGa0=RdjV6Il&Hc6i8>)Xmiej`m{fZqY@T2NEO13cc!ZzBM05$lJPx>?##!f4Vm!
zQ?<Z02%fj>ml{glT3kdRp&H7%Lm_(DA*DU~XcqDVQ$<S_s?@)o=$-&4x{DsL0pM?#
zpIcm%#F1|Mnn6L<K@}(&;da2TSioUiI5`W%%edpIU-Dxbv_ZQ@TgK<ut$Ne2o(;~z
zUwc0~WU?3IvMkdS#*ZTZa;bg@ty0msf<0#ycg`%jY2YIMV-(v+LE@~lnL|9+-U1BA
z+pu@lttA!5O7Y#um$E*w9Vcy=SuJ^LwsY_)Jj5OU10mSpcKz7-zZh)I2Awzu^OPIZ
zK8|&5aD7;ESpohdDr@@RCr#r=7+i)Y`Pe0Gl74mgs)_&j#~}~#k3(LY-p>bxv75k<
zPwstYEjWtoegJtX-S1^pq7VFMw0W<A+a-^x4k7rt2t%imvqO&UrgL4ZiKa|(o)2o`
zUgL}e%*6Fe6LX%Ie$+RdB=8KJ0aN{{iPh^b(%F3gMcyIbB&*HE^e==aJC)oUE}GRb
zak_ovL=JY5t#c^6%y2!vDbBey6!*u-^M&DWs`ToqwuB}vj)ZEhs&+bMok?(vO3tAY
z3ia8Xy=v}i{PmIiIH{dqH&U8g*4$k_(Dj$j>Z%WgSW!Us{`jk~JE!pJhd<y=)hemO
zH+~R59QbO?4rUaw&sHfn;?{iNlQ;I21!e_IpW>(M1&frn{Hx@HYj4pU{qUpnd;?$J
znK1?C@i%9o;gzQSE=_o96efo#=I6O6HTtP-xgZCaiioSYJf2&+M7`^2VJ+cls=nr3
z?Kr}GVX~(`Fs>@1;7wh_ALo#*627_GE}y-Io4{7sLCHw8ocFH8z2T<d;8|RJ)6UgW
z*w4BlziEk^yNr=$pc7nEvR8ss<}s8_BmscV<VY{QcW&!1RacFr7(`MQ(vHzr`;b?|
zNzGAzfXRv8YVG75Z->ac7t{L68(`mQmFI|>!_L(XL?vwJLNGBEZrN(kB5Lx$_ImZh
z0ngU)Q#thsG8ieI7TUW>8TOet=O$5aVQW7L?PG&q01xj6sAq8AtK!3&YVaKvN!m*>
zd3~{bPpr)UC4UUK@!5Sb#upUGJlqH~Gph&;(J0LrY1r>mPjat3Ch=+XgVPiZDppii
zM^S+QF35JqnQwlq;Dqh-a0tK{{$B}550j4njf@l+{ZfLEgWS)XH?&Z{or-_onc8Lj
z_df3drduqG)BC&Vtp<wKzlh3d9WCHb(KphXDIpYi`jzq)`j#-LJX$&&fa`N!^*Pe6
z*}VC;mm=>iTK$!1Zb?v#6kx}eAwgw*eLsL<pylsxL7ueN{D1_~wS~h=&yiUTB&H6c
zod4OE<Nqwm$xjB=%e*N?93MaCb_06NFkf7o0JH-rG8_=cAi&O-D$@>lWLUbp4^Z)7
zT?xwuOfUC3+|S!W@+oCHKhy$rvuk@kyE9Gh;s4%dV=C;zk()W7Xa7S?x|IFD5tFJu
z`!_M^)PWI)UDki~Rk-OV2Ra%E5yp(00Bk{_nro!yGx0@)hu;CoJ=WuPj*gPVUfpaE
z+ooWoC*5Ny0fzC3r6f`s`9FsT?8TcJ0;(5TS)(cPRD8eoNiF|;u3Ky`>1=InqxC;N
zxC2s(?(Xh7QYt2YV+4RhBhBXPK4(37W+5j=f@U$Nygc^iE3otrGLC@SBvw)A0bHWJ
zLCFbC+pF#GCE7>%tG{~`m=_z{+a$bUr*|!Od0|jxfs2uloQQ%-|FrxX{?Tf*?@b5F
z`LD=Jwqnsz5Bs%Wfr35%Jdtq<LH0YS<+G$OT|u>9>XIHNA(9aN^T*tdp05?|t-D5g
zZ2Zi;#qV%?Q2%3vtB)Tu?o`($dgQ|)z6IQ$vl4*ANayI3m|3GkqQzn>N~iy<z@BjQ
zRr>PfK3vaf_x|r(Ic|T#XkoV~%BPSq`+`%z`9ufz?6rKrNCkd#>0=2H5Y@-91W4@d
zSq-J(aLbiAb2t0ZV^Osu*IMKWB~~S|Bm;Zg?L<_Dl5_g_*T559ZpSGW1dt~+VAX@V
ztxeauy8YQS7&>bwUuE=bo?Pi`-&N_i*0`{<QaFw~nn)0A!1t-=8n8pM!9r)waoelk
z`V(sP{)hNj&!v*;!i2=RiKjdMc9!|J1$$3WKHhb+RvW4EvL||#_WPCEfc|#*ECk58
zkLvWaa3O@rn@yzQ)H!R8_3e^!Y{J*MS<kkC&c^Hf9Ri}sp{5xOBC-3fgxb`zNeRoQ
z&wn59Z>ECWlDI9v9NwEB49c*mgR)*6@QzKF4Ncqw^$;jpp*Vqkrcc)U)&s57MCgqN
zYdv0AogMqWO9IK~J6z`Pwb$ZZxIU9g-8E7x)r~2FB^jSn=Rkc3+_ke*+;I_*<Hw>B
zQm1Sd!_M7xx3J#a;<D)9MB-X2rO_M1kx7rUk%~ccq~450KYZhkTuMo!6DQJbuY&ge
zj|I1W#VoIs@s+c~l#81d9RzqrK)fp=Z>t1a7iNuK+|J?4dm{0@kV8q-jLYxgDi?cP
z)f)${UcJSq^4AEZzHWGq?d7eumpttox71T?M+hgR6v|e<1%Ze(paNW-TU}<`&$+#;
zA^Vzz7&?V}pc5nZd@*C=WuD8=7xKH%sX;fYd@I9>K5G_F;R4_W8+<iByDVLs_G!c<
z&|ZG)S?%KdNN?;&9&Xbfi;l1RX46c-ls_0Z(t5|v9&5J0^zfo2^%ronZtbb@AZ=%m
zq1FuCA}<zyF9dbgxtKIc`HY0^QL(2A%!@_$4oNzV)HouIn-<Gm{eBc#)znmUUVi~A
z(H4H><ey8t{<XDc0c-ah*S~37uzVE>dn=`f>3u3Igzg<Cq)hJxd%uE!31q<`^X$t-
z!_{8?g(rO16y_7DGk={zvDp<*?RblS6K^c+f0cI6R;F)yaP560(<znO)sirhqC3Gx
zX@wET^%DUQ+kQMf_avCXrxd~_l+I+MAVshj=dx!@lvw?g^6)udE%9@kPBuwK&#4NS
z`SqaYHWf4JsW)>#InPUah4P*@LypjpZZ4?nE9k3$IMB`4_IP<^7k`lqGP-Pq7;53Z
zBXLc8n(Z^{vgjpi>9(zJ=REIhhl|-sTHe@if@K6Iv<!uXkMM2dE2-FX%n<t?aFDSD
z8|ph<Zn8rUR=T7!$qx$X+pb4pD#);^Nn25$hCl9p9K?72JWBLdK@qq6`|bA{q2pZd
zEwA(6qXN23s`sf<G#J+33T*z0b`hLyy-?qw$nBRZ_d|_M_5)ate~{`IbMH7d2YoJO
ztn}a$Y@s<}C^Z1)d^*Y$*p$rTEs!MS*D0GCzOqxf`_d^t72W;q)F0D_yH?Ijl@UmB
zci}<Bl_llX6MgTriZ6H!yla%=Si~*Rywf^G%k2klOm7zjd$0&H9Imc0^DHYi%kJ}<
z^sUHZ<EP4MMM)|c=bgfa+2Bh0r!C7xzOsEe)=k8P0tOiiPBku2xb?{x<BZbvrRX_*
zf}!F{<$7XL1+#wW*+<N2k9((ui!AH%N!%RtvdeNf&FZgQq_q?9lQ#`PrBr5iPR^>~
z?_pu8;YV%X*rt^*F5KR5VBHL_9|-Lwc+Ay!<MAB2_)0ruMF_R+K|Al-Znq$mdw<X6
z5DXiQTD04~u@5hcL}LbJ=?e8wZna?kOq~{Y)nBkFRoYU{P&$3|ptS5gLsGAst+$qx
zXxXqU_*9M=fn|~F<x&q_IWrg8%*M{ZC2aDqk9WW4D+L9I$BiI;;70f!Oar7PPa2PG
z7-48DvVzUX<zvHxJa-8-*au+_`o4bqSI}{Z=~SNS87|gi*ET=_**G@VHZ9Kuv6IJ(
zlJ}4e{B!Q-Hs$HitY)8ttycjVcdeh=7Qr>}>sMw2H8(xzce+Jr`JUUc?GEKz(%U|E
z{4B!N!%N00NT#8(ZjagLc<49MudByQf!l$o2_2W@(Q6x&e%qPha)aHj5N5vJp(Z;Y
zVeQbXNid{Ek?v8GCe1p&yjbFVshEYll_2G@YZfwH@N+`EpXp@)9xQb6PQZg}I1kbr
z%h9GjbZ_!mvyBAAM(iW_=lwVAq{ZC}G)7TgR7T^fTQ)jt7i}LFt7f>WEb4k_6w-8_
zdd2-Xm=c)C?=F`EF(nsR1baLShA)_Mc3|54_<;+X&mZ|R&(|zPJER9mXE$dd8o9~n
zXn!_e%C24Rh+I9!ZNTOPxD}UM#k=KswdL1eH5|8CJfo!q%Kvn2Qq0aMXum-@KhXhG
z(m+V|1s+XvJ6y?%y!+*@h}CV}Cb6^E+zxP!!iw9|kymFHw9)bNX4TTh8%_0qDm!^O
zkGx(oyLP7T+RPCHqSF4&il+j5^Ovr2?pM1GuMmP~+Fy|M{dcGKaoej*xbfE>K}ibu
z2njP8+hY4;_!kC^CpNd+7ot1QSO8CjcwnXe#rPqcKgDW7t70iA1FVr<tMQ}$JI>nL
zUx9cca)dA63-~XIj{x8FS&-XmV`s%B`qG6{b)|Q5vLTR`#SL@Bh&@x4wlT66=UxWM
zaqdr0%xt7gHF?%cRW3rJ@UxQFu_$VG`kSM(KHFH;NCmmgJ?+cRKhy6kxgG7HHP{zx
z*j<epM5T$5=g3zBtylbB8kTJw?^;jW5MD^eUh@`P*n;^pT$K5;z<BK#n1swU!8~M!
zNi#aSWZuzVnISES-CSrqyydS4zOdDH)*m&nRUbW=xoM&{j;-J!^vD7t4%PX6NcxU-
z^%U{5aRkk+*v4kGHB936N8M?uo&dG2BYiJGj&DDYjL)$6@pdPp<oKW$5Y|B9Qg$}q
z2SEl3knCcB!?-sx=f0v7N=#sJ^bc1JA-I9hwP-`pt%{K8aObMgTzeKQWS>iksqKnU
z18)=Ai+o3Gk*1HAIAWR5K(?Ij)_^Wc11dvAPYcRUQRz~7Bv)0nDgm`$-;khg9d9b<
zY0S^h-$~O05@q{$WcI6v2L?b&PjtUp8l>vB`<3?ZQ?j8TVKv{KA?Cw;vhU8ZsEEg^
z6exPM7oOMoyt>9j(Z*JMIFPe$#|W-zK{*)8E9P4lPtt{rygDBL@;9Fnw<eS-jXh?R
z7n_8U6~`-~YNm}D!J+VID6A$HW+yXn`aRNGw-F>7lhZg(S3F;Ta)6Ns`2dLA>H^|v
zMMf}}V~i;f8P%_SJDClOE?`VCnq5gq>DtV6HiL`1wTFSD^v0?j)K<`$+4_eUdV{>8
z^2GCa)~%c^wJ0*_KK-q7Ex*emc@aq%pM<@{IjSK`1rRQ{N7R|9eSA=Kg9p|TJcedF
zA8Zo_d@p=Jg=?+m?q)_M;pyEeq6Xw1N%s`l`|Ha+&HiwvUSh|iov4Y;S^Z0ST57*t
z+EXkVAGk%<#}7mNW&@>F=gZQog)i7ebQCbU?!L;#V(cz-5H`Z3&L`7x!?*U9M*$y|
zQ#a3i9<27uYY=e|p1;fb_AL_FVK~HYTztbIP0C#iUXSwjbiX_|y&Z}6fhlf>OUakG
z!(I&ZrF3p~U>jym-Zs6zfpOg;Z*(l<kV?_h$<ySBiL<T}yR*~F?I?K@bmIqe`Q5Q%
z35!VPlQ^#9(g^?6<<VC>kLR*4Qg>b(6U$9}ytdvCb;i>O=G>ZRaT`j(+#*KOw=cO!
zyDxkXeCRxGQ*1q2me4TU?i}UWVKBuy=BLD%^tAP&6PIALWxILglvrLmIf-@O<u8e+
zMsAUf{NclsuXFsg$H>gL*}qhtG4`YIujE!gHybk|Ez5vTY)3JGm2wLF%Ll(U{l?Sj
ziDh(v|Cj)B|3>;%FJA*E30P#l-dziAog-}i5>(#q*{WpL8HI4v`4L}9_V4cB^N`5q
zsiW6obs3J`Yc*r&KYe<Th4~b{CW~8(?~=g=*JM(5Jat2?=4knkU6ItzbY<1;YWjer
zaPZ<N&Yu_-4_94<!aeu<RgAf_${yWRN*tPr6UgZ}>dgGu?^6=d3dlxO3iE^%#7Y#L
z#L8pcePhXK8`gssQZ!WI5>_g=X5y8CrPUse)LUNt>%oLr$4tVvpT&1(2AAz|O~K$u
zGOKaTk&w35&N}kg3Isz}a^!p?(=QL&pJHIMHGEP6b<$`r6b~faJ~v4^=G~LxB^aF0
zpD|+ZbVaz3Ma`DAN6zKL(z5Uk#<Kx{z)baiK%{!&Ny*}gukS0gOg~k-F7`epo$mGZ
z%;!hma*;Hxv$1+h@ExfC7PtA0sw05(nC9^u<*k*EzaBNH5F8h-cl`sFJ63H&2;Qap
zu{ZObp_ZRTNe%KQRvLDK9pIK7ffor3?@#j3s9i^F!(cDnRRue_*yr1H?pN`^V1e%6
zbEYIr6$QE)c}LutZ3d(<l^F@&Do!l`f5*dM#V1`jl0Y@7Am!jZ+rJTN8S$z1`jv7e
zzYYoR;gf!%ZXr`u)o&w@PG0xFB!J)U2!sIZWvcfhpq{uJKXtvwo*p{&mTWf8UtLPi
zW}ydE)ykja|7k%GXc8wA>&N>zp>!2%KP5K|6>8}#<Y~A~z$xE82?#TUWPfgr<TEjX
zW9(?>n4y@FWga4)y;8z@>)9Os!qUuKO6TZ0vXGs<J?!Y>#7#!|(~3`}4rjsykny?R
zy_LbCbR{DxO!35CmO*t}&ClihH-ujU4yra!H0JzqwGt-n>EHAPynH|M?NqSrjE(tf
z{_;t`cKbzuJE-3g)$O<HW~KVQ+;c*1)E0zkqe_@^sP(&HZV4iC`avbEHI-ds*c%Fe
zSErbFOe90H`}*5-<{@N>HwYFe7ZQ-KyA~3>+nrj>%QrPT(`-}HWnYes3Z-v!i!!Mb
zbc^KZgvx%rcO$Fg;n9BH5r1*GBRciwU0BUtEU(>_sOCQ}@Sqvj+*RM_@Qth0`#T5<
zT%)pu`23*dAi0GmQO{~m-{2D>(`eQ#JpCWbx?uFwJYIOqH_g9k*JLdh2Rl~vZKytO
zw{^P<@M<f4&@nE1SrvN0O$i3g@<&HFe|}wGuRD2iUVVSxk3BZO*EKzK%Iwt4d6JQI
zuxRJLHNk4nfBWq<WVQNqx#-*F3khF=9j-mM@8spTUS51qPR4eUrD?~sgP`L=XD@!t
zumpHPy+a>xxfA$!k6Y1sGhaTvna%y}=8AJ4FBg6PQSd|Yo3F0XzJi@TIx&imxu;pq
zw{c}#nC~;|!R3;NQ%vIRW*fhHd@<o$nRoh=%7ZpiHNdV^#Iw6Q@}_r`l$W0d-3F=4
z09-uFG~qe${>tgf?tM3a3$R`uSabXB+Kj3jKhux<ostz+SN1>g>Z4n`TJ$rE|Ak7|
zT7-kX{NJ~EfBVIYnsZqK)0_3g&V2b<68~QzJ?%y5>uV>0BXs%sj2^&ipBn=7_kNi)
z2Y8Ouy&`_w>&ol7Oy#Og7%~MeU0k^0q_{Wm_VMPkr=K2PHap3dJ@&o$y80QHuP>Rb
zWcTAiGqm@~VQOWi_5X|ie-+?TscqhO6ohQF)=12qz8p9rk?C{o-khKpRemP=6Biy+
zU8W;GeO)oI+ia=20d#+i`Tn22nR$A03mBFF2e}=Vcu&_m2^^<TdVW4#UHnSm3}@Z#
zr+{s`<mpG2D`tFqGDC81X4VeH;=G>IP150K&+D0<nVNkr+5b+4!DPcevu#sEw%N!E
zr$23cEk8SG2C$q@{d9GGU1-|*dAZXW7=RWCf+oW5-`58&J}m3>?mux!dGo8*@>Bg=
zlXnW+zRI~V+blPUg~LG(7%mZ@gI6qTer(wL^wOsr52x`-W<_O9zv6afVrG?}L0Su&
z0I(EO*ake1EaDq*KmSbk6N~>^Ss9s36}nmS;>@)wqbmvPC;I&Yu9U1Ze9rTe0eCDk
zQ@|w9E@I&MFViloKe?!U;$D7K<VS-g58b`v6OE&Q&C2Qf|D;0BqhkP`)X1>x$&HQ4
zpT6DBe=cMD?BcV`xzQO*3OCNli3%yPo1e7he)?45nlP*B*G_UTEEaf~X|QY8E{VU4
z0>I<x4@}9t{N>_e_ov_Y|KA(4_m$jJ(It!?%@=OA{d~4UzjR|^-^?!tJ>S0S%qck?
zZFOn$mt(2MpM+C^7nl}-7L4X@zneCl!2vW(ad}yy$LwYHz`Z9Y3`E?RFWp@B^Vu)p
zcvspHb-nj2E4JUSvv#jzoFN1ZvQ1XNVO1VJzEd9`AAbrQohZw!%$VN~yvl6DcUA9Y
z<w0Q#z>dWV30_CwV*QmflV1QA0+wZF0;f}#?%f+3wl>OjvvI>FVAfxu#p@QnF2=C^
z=Ia#`@B5nHP5HMUSnL-wHh4kq7n*gia5V!11Mng)CI*I;z<?bJq^8QJ|LmqEZrvBX
S_VNK;&*16m=d#Wzp$PzQ^Q>k7

literal 0
HcmV?d00001

diff --git a/doc/sonic-build-system/images/upload-package-automation.png b/doc/sonic-build-system/images/upload-package-automation.png
new file mode 100644
index 0000000000000000000000000000000000000000..21581a81f67595c0ef14b38bf66dfd49d2bacacf
GIT binary patch
literal 13209
zcmeHuXIN9uw=QZ#5T%NA3>rkG2`ELH0fB&k2nZ-mnxORFi3SCw#;73DL<B_Xy#<tN
z1PMqdgeX-?h!6-uD0lGZ|2*e@xnIux-|{@?1MDYzX3w5kYt6gXto80EMus{^5Az>p
zU|=|^i@0LUz_1^~z_728i4oj^vQAZj%RXOY9Sw$}ZoxV51L6!ffHN?ZCbDeV9R$Cb
zy%0Bj85lVI_Wt&b-#HP)z#u23dj)P9WJ4wrW2Xkw6@JaKrFWJD+U&1QO+|nB*xdXq
zcGbYX!?3}dv#B8UsIraVX<o+SuN5i&4VuHP2{Mt+az}8tQz4Pk_trkV?<+LceV<(P
zUhUE>^+Bd8F~>OneWISNkgm?ICzxd@J8U1ra4eLW;iC;imw|zH60x75ga^*aa39MA
z*0QLDhA`ZgM!`T=j{izm4X2&Wp{DL7V!Z<Wt7k-ZfBYbFcO8ju+}T`k>V)JX&<|t6
zs9zPz6~==cXwthY(t1wU*@RUrstj+(Ky=@IHn$BQsFyLH&z&a*lC1yUMJOY*@l%<*
zTh2L#HoI%KyP^mU5zrglZ`_zk?Ibnd4PU{Dp<u@}!1zp<smthxK1>)R4md^-Tv*|p
z=T0Ip2jHAvL=YNU5M3WALPH5W{}`&v3ei0i4Q1x$fZ-lMnWx!dStn62C2$c$!A!59
zVTVw#=bHbnK?UUyYHCfY%JmjIUhav`v(=t!T@?F(fDe@QA?oifw}73X4b9F;Ds_gt
z`eH@b5Kkt#kTCmI+|MfQt4Fb9kVMDGrjNQ>CUN}UkA!tK&c6#x;Dbqbd#pWt6`n4O
zkh1xpjwY|%>R`F;0ACp_G;~SZ_1NC-nk^k@X2yJ^?FoG~a!N*D5kZ42Y*c)unB|e2
zMiO>MSpJcm&nUE(Nr`Gy&gpjY-B?DtZ5rOgR&9K%0fV_@cW1owc%PqU_e^k`PocCX
z!9HUW?n7NDkn~;OPLwn^5idRwon?tvRu(vnAv)PgwFIj)t%XoGDs7QJJ-J4yHMgQ@
z6V}OpC7;KFAsP*^s>C9z*>K&O0|Tw`gH&lv$JupXftibJMyj(cMK02omh{R&TW4&t
zSNJAP#XJwGQeWeO9seRSul2b;%;WG2EWAva6y(vBhm}}fxU*9@WE1SR;k)ixO-o^I
z*irkdaiyE+MP@JRN4aa#L}+=Ko9H`<yg6Dyp=w}DLy}0r_V2njl`3Y8IQ8bjw5vfM
z&+VaH&%5e_)Uh>uUXE(G`1z^>Ycyo)#x=`^p#_eA3}(s^?lazU9D6JM*4u)$*Ja-v
zjvw!n$QWW(CC+-t6bCci>T-3eyBZrTcmdH(LW&{e)zd3;Go!0lYr9-GEbzWMkyBxf
zu|x55X1k0sncZc0Bq@UEWNldTH54oSSG^u(IxBkDjOL=61}{)EDmy#s@WeYdS5Mi!
zBZdY}pL@O5*j)rKQw?9I@`V=22*dhTG6R#m`K)GV{R3=Wf!M2pi-%7AvjaXaqoz)V
zS*^`WY7B=++YX=Js?58&Ro|rGn;I<oK@}xF^T~6qR4dW$uvMp%%fXU?`vRk#Wjj0O
zxfI5)FNP>;fy-12bej4ujcj;XzjLgA{?LV$YG%TJ63H*P51-G>0IN)Vu(Vl-+x1wL
za)aLs`sHauBU<aVdwO*#bh1eC8raO5Su+X<7|gI$cute14sS`FaGj~=^f6DW-`Eab
zr_Rl@rOv4qV#%MH3?4gKHqJ~>64ygi|87u0YEQsO$bRuqu7B;_v1Dj4;y<=8ofF2U
z`(J_uM@uzx`;L!42$DK{=81oIhwL;|smZ{0!BFCQOZ5gpTP;gsoDe_(c)D^DU`?(t
zj9}-wW;0A@hk3^QHFME}xEUUCcp1T=R@QxX{9A0tr7SnKrVpWdiQUDe5uQuAGjgsZ
zWJ7*$sH1d2V|6#xe90GUHAAJ*l@`NGuEGCV#?y%qn6&2T<Vc&AxIy8=F0J#f>g#Wq
z?GsJTq&hbZuq&xGwX3|eF+f&I5QSUX@I>}e|F!YKJW3-zC`|IQCx@9YnBpD|B5uwi
z5>{I)BW)BQHn*Z0gDK-tHdsS1tF5tD&JEfRYnLbjRA|i)i&ZD|V(`wqYhdKP?0Pq@
zzc7lp9$lq8$ac|_2gcJ^q^_peR2zW*;iL9+X{LA}qPwi>C<fcfulgPZLyG|@Hg-cV
z(xxg~26BaQGY^72o$0@R4R3wJe_iG2ED7dYtiuz&xuC6r-Qk>{fy?4PD~|{`FuXN;
ztf)#+$7h4mnbFd_v9=X<ce_&FvVk_Cq}o}>>66?!a;vJ6U1i^2jXw`{Q9fAUl%8J6
zdPrgBQ}K3CYe@h)?nJh8F_(mN9;M5Z@3+~^NWXnm>_)+Mgh8lqVNV@xD}c>O!n|B?
zmb~7_<3c_Ccb7bmbTr(Qdd<gHSHb)*e<IvIp^^4flN87KFN0HgO%wUK<1lpO|B(Cm
z-{<Jw3c&^<*1lbp{+fZ@*%(PgZcT3NB5CEBYleAM;&9GfgFU~!y*5;CZWEjn7+Dmx
zFr93hf&D!ZOZ_!mbnJ|6(2qyK9~VQ5_>0#`NaV<+2WNp;WSe%kDb7us1H~Z<^Y<zv
zHv2NWBUYYe799Ls8uO9wQ@Llvy~-UjX~&(`#$zjCdHTE-3U>MG>S)AjuTHt`&Pp;C
zE)(L{*M!`mX5w4!(3edEm&Q_5Lsngs%<s!GV;JI{@flyogJ;t}34g8+q;zMf1k2L5
zsCa4Q`hx9l2<@u^scYv~w0f6KD7o^*oQW1R{x<(U?$;MkFr&&u^_`%Ah=_54{gb~I
zw(0B6NIHR(WP%?=Ia;b5e^9QPXv$%9>YeuOgJ&K=nN7t|KOzsY&A>~gSG7vwY}(Zv
z;IdCPbQpwQAyuUJOML8S#$3KQ(c`yznD(f?-{JS_T;Fv6HgF;C9Egq(l~X-cp(^`w
zub?3@N!@l~lko~6EmmnQHCJB}E+S5!ZDmc5<V$S3z+eJmGp)^)PH7!B>5dx%bU~YO
z1;pvOlFgnQKjun8Ah++2ffrr3|D2x1Vq^a<BXoVqdI6QZz=*42D&ue=biO=i{gdkf
zFVq|bJ0C1l(cKcwrW5`BNe7z@1TPZl$oWZr|I%=eX8T)+4-B#Y88_CS<6{)#K_s1A
z%_jUYfdlsJ*yCu{P#vR$4j~$&j|k{Poy*H)73NGZ3hvTu?l=NgbpI4nHOcb5-{WyR
z&+oY)kbqtBBo1qx>$MDwi8VFkhCO47rC`^`e-`qdvN$jX0egA0s#;3rg~=gYYa#Cg
zL9m7-d1BqKiHQkq#+Al==*aO;BYO=@n9K4fd9^PK^3%N+2Os5OG|~DKRDJ<*IW_5O
zdq{#V8sae~uj-cSVI6c%=^$A3uoCV2ekU&21A$U<A&al_tn?5x<;wQ}aqaJ>5Z&)@
zC(cbN3MvnLK>M;`aJiN;+V|DlZY*6M0d24<J|6GGJdgE75moWTnC0O~k3S=2>jvKA
z<1af+%y-h$9MqQq3NVY)#D4N<V_MWhLs&gbZY#AHvRrfe0+-d@hwLlljn`#%1DZQz
z(jwB&2@L3Lo*;vQCK^&C8d7+#?p<~TG(~^=<eBexm@pr0<d4ev&Rg<i=;gy@M`q08
zlvq0<V@Kee!@A@Hw#mR}<X$jR@sfk+-p+RSu(s$d{C)2*Mwg7-wY6$c4_&IIbnUE+
zICqj5o<Nz8d^=TH)D9gnGf7-cjQAZnQfOIiruX{c4HT@TS;=Se9vepY=<Mgl?Gw8)
z^w5QvwVx?*=QlPtEWzWzLU_!{jqBr~MWe*aXsgP(_uIoFXQ$t9haxv87f&><Ny0gA
zL3H2GjOCHrIsE7i;;5;T;odXBg1!BxHg?*ilbZH{W>b3YwcgmN?$dM*n1VRDTN|IT
z9ZuV(ga_`ZW+`x*F=I^U1~PZUL@zY@?}Ts*JgInaLb>=WHmQRdL%6Ce;V?^>X=wSz
ziq3DOV=2XH3e1(jjX&)U-~7aetk^QRd9TL*M?MpVe)fl1Tn_TuM-arhJP+awKk~`A
z52!&4-H_q#(e{%1^11h|IFb9`fvb&Itk^E}+-_M+MAlVref4WYi#xQGwK|B7*Zneu
z;93wZ`faQR_2IdCE&9{)r*ojpAHYh?zx;UriZP~97d7=`TJcwSm~<HZL=(2m_hx5p
ze+dg5^FEw5Vta=ayi|+JxP0Q%c~-7E{~vQqm<}#-Ffap$=sD9(?Le;xSOF(2->mMW
zZ%lOl$u76~Pq^*oNBNwvYo`M4w}%Wn9MWS`9#es1&KbyDsq?oJrZHpkXO%-Lj+`h@
z<p*YFavEWrb2j}vW$;n($VEhMeO9YTuS+0mD#HFyev+k3^K&MQX&zCzzc8(6EWvxd
zy*<Kjp*gkG72UAD+>xv-fts>&tK)W947#cC{Q^YyGh($a48UqOR?1t99V?|UdubMN
z7!%EH=e=ka$01M5XHK|^es}~3+K&mdk+NCHYxf1BTLbrYy7%yDW4vvh?0`sJ0~01V
zR;Z|y<7lpzxb{nM;xLqml6Vr!7}fs8ccHm~8PmtEeA}VgKCUTU#_Y!?L|2icT1p}k
zsw8QG<vyhka8&2HyuHH#al&JRSg4ZqUFRY!Yp&jb4MIvJkqP4knJXC`E*uv$OFa$u
z*{s5HXZKybEeGdhJ);q2$&=(h1l<_iSQtsXc}uR^{vn9Ff4q7#WZ&0wN=E)|md+Qi
zbYa~UZsj0{+4CK&_FLo!U>7XjP5p!>)|IHB97n2ZxwBLEf8>U9222e;^5=pr0D~$?
zfihcqEogAU%hU*h;a;<6?};LsnPv@oMG=FY8$Bh4=!e1tE8HB~EFGfT3=o7r>%lE1
zOi9Ju;G_1WQ%snOHrDCkm!-YhaeP;Cz={+Cs$<^;brGcy5Z%pI)|p{|f-ZHj+@ioH
zFw)^PQAF93bd!505ysrnSv68{jJuL`6hBbtrzgvTF;JYE)kmFth;9tGrWfz~NKGzS
zZGwB$F}c&Cz&RKTMjrCjN5P`MpFZ?l1O1ja)x&va@R1-2ip$zqvIjalElHc7bPNbx
zO9Mldy7^uZ)exJyf_B7=)uB^QB7EFRCl|Inay8J7##OZ|y~Bxu&!D)oTA^|i5G5`c
z&IZyF8_VKQ`t%?ilgb{A?P&iPPk}pp_u+!*mT?D03|ELPEwQJ)g5nHfgl2}lg_UKw
zl*bdgyw0IuH+5|>9@dB=aK;9L1?O-W%UsFVo`IOsPXWVG0NbbT>}`^cu{m|YSST(&
z=D{aY1f4uC-J}>Mq-m%4G%XGEkqD^CwytWrYSNZaXDQ?3f`W<74nERPf#QzUaG%Np
zOORb|18de#hvJ^Qg^Ft{FD+h0PyL)Q>KrCFjfYZHqi?-D0>|XX2(1}Z+xwm4sON+!
z#SGW`FKFn&5VHOrZJ$M$F@pVldDj#&lDP!zU!H?wj9U}7a;XE^njh^v+nF$et-1Sr
zh;`_*F+$mm@~UPs{fG4p7NPES`>qtQ^#Bc4yL(zQnaE#I88A|UeSY4y4(3|M0x$FN
z{(Q3eyA%-itHp2P`3e|g!AY~YyWjo3oJ5#OS%0dY>x72qyIo4YlPt~sGR8erbWPj%
zjh}dXsV}K|PUW%t75!qJatV}UoBeS5suuh15|{aUn}a6!*T&d*><m#JiwQY()_VTB
z;H5<&p`&28>EmNB&%e8&1i|UGy$B&o-?#Wg5O1>NX?}08*Eb(m1a{<FwyJ@fZ`=th
zMtGS92PZ+??>(FPmY4AP==O*>QvHGbmHZ1Y`UP|gzX^3lv4(cA4)<LC*&BH`R5l#t
z=wzRB;*!3q>GHwvgOARS?Ja9m3o2O8J!#ZNdvuozCeArq?N*P`8TMPyuoxHu9XQSW
zL!p@<o_yh-YuTHP^JB)mcuYMJ9p&vZbX6LAA*Ad=e-UA?<EEBQYdxj0zO3=cjnzA{
z1}I0-sP^zhv$R=zrW3q_OJG*alP957)iMs#$KK!Ngo(48<JSr+G`af@v=|q^9Y^r;
zC|eTUyNtASv=`sWNZw?`NjLtsr=^m%?x?BUud^YC*cq6n;lC*q^DlsyFl{eg)R}ZM
zDoA~KdVD=%AYiRLbK8y9%p$$2mRnU!+M!ibDRkr3vvBV->o3f0=E9pQZxo1y6JD0a
ztj&YicPTw{v@v4sgY8$f-`^vhI#r4!A|2C$2<xBT5zm>m54Xf}%iSQw5X?C)(`Rlv
zv}tD@^LEOKAG7<?zI1+Vhfa~UoLvpy*_g#rN(cG*Io}nJ67m(zn?OXoeo2eXGYM|&
zIW>2V#%rP#6t>*PGb@THGCSM2IsajNJ+I&3#_IPMCqwA;afiYeRbto4?gpl$)%jm*
zO}q4_&cR@nkwZB3-3|O+W~|b@-MAvsQLrjHwTIOzhY`2Ch2OQ>Id1qNJqv=%h3I<d
z-HW`Q!~Q1$)^Q3U5B4s4^tS2QKY6m|WhTr~kVbne&wJzWpLCiRz)?+*7|TDZ{X*kU
zf=n<GIszVt|MxKew`CLmCUUB6WRbQpIn9Qf9N8e3kF>4iT}{M0SK|jG2&XcTu2lnX
zb;|{-J&5xXoo$N+8$?6uS&Kc*)tI4Gf(XQHqVU*Psg|~p9@h>ZVn$*3*boN4DTy#N
zs3u$aV&{lEUT08_*{jgt1vBRs<q~66kio349C%gNsfT?TP<o^jNmBFN;T}}DP?|;X
z;QR7y&z6b=U~GhdKoaj)f&(>#TsPkS^OZoW>no&T@`CMEl5@B_YO2&g6;V`dd)Il!
z2=3!XFAv)m<p0^qi~);s#3yfrIdF=Tzc4x_bNff%&CYX)KKdM5`_9;k(nHH4EJ?YC
ziHtfZD@xhyUV7lV?xgr`W3y(QYOxt2hM38(k2p&3#g3G0bHLa%(QeO$U_9dA2fox<
ziQtt5o{t~xve%5Ltq!VP_Q0P~Rr9iNQzK<b-=`(FOpua`2m0+(qLZ>z_6&X^1nxts
z3cVjtUs09ix;FMzL8EZ!CIKo%*qNUs%adN>Jxh<I&IIzkA^2a+mK=Jv<ji09Al%Jn
zdFxKF^taH34T-wU^`0<uHTqImeIgsSJph7JDJ-;2u5)+RwB*0X7D>o#+mgy8^$++Q
zsqFI*z#e|*u&`t|NC2@_d|BjFnTV}?k4sJIem}FW;n#&1CU&@kOHprMl$4)5S^!BF
z9~qq_4p|t6Zp4;4ow@c$u}f|8_0_~u`SRcERb=_rNmqeK8>@-VJUoTYg+lx`ZqQLY
z)@8q&3dLvRmWXVUyI(|lNyBDs9Cp_K1Kz!$VK6sXGQ!5TiWYiplzPiHw{g9MR;|k-
z`<tJ@0i*U?Hx*S73@tpbwz&HZGzcAiSn)z$zFMuAcIiZ7VbQFeBT@BxNU9vX?0N{=
zYJ)RDyV314`Gt%7qos|BjA96Nu3r3dc6oC_ih83(R<Vt9xSF^)?WgQ>vC2<Cy$Xn;
ziU;naOAiR-E&n8P!1V)t0keHaQOQZ2J>(nY`R-zR<E_lLQHS{6wYPE<;$UqSzJyv|
zJ6NGgwYE-J+vv6poK~g%6?Cy}e!L%{CCGBL#@eDPGbo-G;E_X)?hP32qtUGlGk1uu
zNdAL_I3VkZNXI_Y>_FJ4^M(FS?l~Wap>kB$3D@H9ov*I-%Y}zd^T}mWeziL|wFz5C
zt?c1rjO!tsH37`jy`qB_mFK>b)3kD_aKlQ<cF3OZc;C9)m8hBOuyOmFNmPWVW8&J>
ze0bX|!Fs7Qcr7f-ZbwNf7aLM=(Va5e8$r(4X!rf5t+3ko$3Tu2+Y)I#?pF(|QtqW{
z%OIC-gxa!TvdMn0$qG?J#5P~n%JCUJVAv;MeTRL=Z*nAwf8I(<?EcbMUhS9T{Ag4j
z(QPZI8u&kpRvoc49Kbf_aY(_BI5gLt7Z`c0D9LW8F)Bo?jvAYpdRID0pkQtN{A$Lb
z)|EEbyj^J|HrPfr(~j`Pr#hERSBc6ssOwBBQ1MhoIc6{p6<5-FHiI*15&78dn+-ed
z(BP4A#?gqt;8C*NPWb0Fc@qE}QPA4o#*M_gHL={;NNJbS=J>)XGPj3Q_V5a*c&xD?
z8{e>cs?3B2BscL|{*|jH1V<cQvKw`mt;t&O@G=|qx3Ep9^aYviR<_icYWdx&@WE$6
zhSU`K;-<|817M@h=8`k@K_Q`|8F+{3a!QJ4!|ZsI0sUgtDa6cOukBl|Y?JPHKmVqQ
z343~aHd`nQxzNEb`!qyQ0h&LDnkwrJXnJXqyfylTV<uGptM9GKmr`c$?o7Lwef!YC
zXqNOT_+bWj`Ni$9g970ZH;o12&b7f&Q$_CU?BsyEeNjt3YR=AIWdmj|k{(y&J$dxA
zVq>~2!`kf?X+`d*X`mW5@#srWD1ChQXG6%~$oM+nCTU@yVnLbFm1=;bei|B1fTrYa
zqa3$toI*(#tQVF$r+MA-RNehNmg${y=7YqR;%X&Mn1Da<(aC%G%E|@1Nm1e>F!hNd
ze7Nr2^gM`*0>!Ppi9Lb_^Tv)3m1@q#almSsD+{Xsv;PJ;OS_V@!n<{F6igu(wPuEP
z0|7X6Z|nV&UYz8B34n?i!u|aFV}B}RKY}3tY3#iMnxZhgOay_6>}Sl@16NRIOVIi6
zVIKV{F8*6(Q=$IQf)BY~Pde+rqPM3YGIV49Louz<Gbh2C(m?HYQkJ-g*r7M=hEhV!
z=ZCq|A^AdwF?vqMIWC8Eb9~+zN4_;yGOdKKM6#*<+`inuwDv4>%W*FZjx*DzPQ*$V
z^<P77_Kj~0Sa>!px0g8?k`zc`a!B=XiV4|l@M%jw$cQEt`fg^Zg^$vOT?>~2rgM^Q
z=825{;<*c{nWNZ7kRo<kP|1*poEox4s?xV9NOk(J7Pf(l3)M~A<i!s4o#k%s=#0%7
zbBFD<Vx)CdmuxG2E;REVJ!b8cd>jXAQ`nqvBMjfM9<KYwyo`b!v?y-c38B!O3JT1l
zKj<V1OIl8QJMqDk3Wk5K6_#kO?InIU^j}|Foo}yO>D4(Qi9Fz^8cK7EX#G$h&-VeZ
zz8kjT22Q^Pmlv0JSCX3+t?$y$vEmuF)wWmrI{igih1%x!Uv2_PF;6GDteK2t-zkLI
z1n!v_R@|d{9Gq6C<?gHHE6BdE(dDIqMYw;k!C4e9J~wy<z4<gYHg=r5#yaGbokjiM
zF28=X#KUEU6I;IP@AViSPS4C-FZz7lTT1kN0YM-|uNYPklV0S0Ex&9>KNWg2MY?IL
zERb?Of+re!KO!9aG=EjES;I=Aueyc1#mOJZ<3HP-J}sAW4jki<zgtcWn$0vmOPg%?
zVzF_`al8rHRAYDPHjn1sbMKAH6(!GUZ~ZLdDSgJhpzWqUK_Yhe-PX^9-psFgce=0(
zbSqt{Hs54=A=8+g!E;Y;@Xv%U#$;QO$-3`{ZCZmj$gGc-<V6R?bFZNbOd%Z=fxP0O
znZsvT$#&Ysr~B<qJRQ$rG5sg2MAnyxmX?R!IGjxITJtw-m7lI0vPr!*o3;gt@!YY#
zH>>8fo?zP>kKPRv8P0y|M_AR){U)wE_a<7#(0^WeNUhm!)hOY~+Sw|h!Drx+7X+uz
zkA6N{tUoMmm_*CDoL@zb*UvG>aJB`8rH%Fn_Ua3cjyqY}zsoFR!YslX_3brNSYz{i
zEXDPnOF>=Cl`Yz}E9t+9^?}LwDA`sEG?B9P&V}NA{WM7Yj9e8Qf9xwh`Agf)!n)T$
z(mpRAEAq%Vd~3M_tCKaMyxW_t)0zJ+9m-sC0FL>lg;-S1Ii=zB@Tv<JOzG9noVb=S
zZ=3kiW>6Z?&7U~$UojUD6c^Jn+P&@c7>es{WoMs@JrjR+=8a&kA^PnF@8!;63v^>O
z-zkL8h48?hQs+)kFL-`3;aD45l}!2h?!xi6zNC>TDDHZWOiP`uX?LaFdx&nX)P8$N
zTUIGFJ*HI(qHAdHa^#C*ma=@;d2STUggg4(q|us4JL=&T^ps;%`|CLAi_u0e!8z^h
zJblT)9lX&h8j8bdxwuidJAQCS8~<tJ6JYt)3uT3)r`oT8M`~+AnLuI=cPuXcAm40J
zOBNHxQIfUxXCVwQDwJYreB?4A;p~Z$fU$XYRs%H5QU)Cywy!;lqIhgcMGtT(FxiS_
zau<#}h9&c}U>pFGVlZ7faIlem@}alw<1rW<lNPoyogC=^2gXTaRn!qfU<!Yu7L_~1
zSbJN&G`v7w$%j2}>qz`TP<T|$gLuoLU?T!`^XC~a1%6Y^JB{#pR+nv4A<pXF!K#>s
zf#MvG#77>F_TS6ydo=ebHslNOZ=*nFOZM!t6TetO;ClNH&}8^E{nKZVGlJ!`D3^*P
za((%8Q`C?sa~xL71=|+@1*x#!_BZa8Ee_9Fj^ds|bxXe`m&%+`0#kO_6H<@!lpgx6
z1zA(0RE!e)Qj;B~R8d+AB{Mx!hGXp8cwLFoccP>A@^_lL4)Cg`Y~wac{6X9?Cd@HO
zLxcjOXfzDrV?Ag8sqs@QWgP1&fjF&&etVehgxaDIQj!%ZfQ+{WmMb2Aa75u{&=}`n
zAcqMIVI2RPlTv@`%0u1ZB#;W6c>by}eS}J-2B)Gx{y5)I(Ci*5+l==%4+>WQ*u-VR
z^i}^IV<l`9aM-5ehK`9w-}O8KL=a{1E@HieVb;X!Qopl7z3a&1jLu<R-jGOnI7Y@h
z!y%2b*A@lMHr;DOvkTl;%#&TBxF5KzsD<9@Wka3^>9WDa+Sx`qdZ%-yB=Tzagx*5U
z#HGr3)8%bD354EhMDzV6Ev4RUc5|djwZkFYpP~U__cwV&eV3}vjNv*DtRgMaT>^0r
z3i>Ku8E8~Ce9xP_GMT7uW2og0h$@+?bowHlL|<B5qgLPXOmC7x+>r?3rI4CP%EukY
za@sA>{eaYSG%AYx7(MsCa}#i8s#>x^c%;}SYUn>Fz#_Z!Z0`l95Y5N!CuJ_6y|yw!
z1jP{%|4P%3(0Q6(?n)qLoPV}6_OiaQz8nwH9fk{b&ySBT^3LL(7CRio)qI?(C((Bn
zDWIH)JPxDE_<gvcBMN9l*tcAZYghVbdEv6wx2YZKM9Up*bQgT9FuMDh{Bf8BU{5J4
zYNO+Ncw4rQ46sG~&Ypgrrja(wizEO%kUb77;DY@?OvH2#^R{Jq31s*PF7yN>3*-7?
z#S14<DgX320{Sr7NA``g=VTlKC@XO-?Y$2$m>2%?Uo6mj>1myBL**Q^W=cxPQ3%e*
zji1H%{==^z@_NHt6ZZ2So(ZOp&qu*J%I`{icJ36PeX!T|K(Rpe!cH2sC|3)eR#oc1
z3|v@e{(X05jMvFt7EZCnz)<+am_)87IxV*}`#_?w>Mg^Apt|*tD^~ck;sf>c<mr=X
zcR65rq8bxD7U-oEwjnV@^U)_++Jbti!f+pcdtyw}HDwiTKKMRXP&&}py8T4FAzd?t
z2QKUBoz(@<r`_*S3nxrOv)3|(HN1oIe29@70~LyxIU6<qL?rYZ>GTbLmT#<lf`Ea=
z7i04R97mQYsfXaQ(nQ|`f|CS7Q4P*1%biu~`4Us(_3`zLf)2W?rRNOObpUyN954|F
zhXZ0dkDnN|+-1fnc)Ce^&byW=mABszFeI2Cw*>amzXkp_e5oP{Uzw>fIX0yOZa<-7
z>t-XhK2G^TfD%lUqS{e@uMUk#z&TH!DVk4U;N#({;a{r&jZg5G)F%G{b+BWt3=aY*
z<Gg(cHMQIpoS^9dZ&zxGYDR?tg4yezrE!`M<Qt;J5W?3g2mr2u{T8na$-)pC5A1)w
zrbP{BeQW`_hhoYY$rN}=x#KWLee}cqT6hD}K%tajjT(H#>zfM%jH=BhidKMg9_EfN
zk8UT(S$)}o;1&d2Q<qctSvY~N9yYtruX*oGd4Stb`lL2PI`McsdF&$u5EGs-JrAGF
zszt7Y#%%zn8>6np20MPS)!nw4#5#Z1!ttixZ9a$30KV0WCoDV@`=f>*>qzH>a#FO>
zV+LV1%St(Ti5r50Qchy0QB#3U>)Ruw!mFkTG-UVzv^HH4zucX!EdE30T!78Q)@O`i
zK07QQ80Tut57e79&00OQAdmSi5;inYR7Jb(EVp-&#}fzmVNAb18Zvk#@%mu~Q6ZEH
z1YTy#&mtQxPmUoas~mSEDPg)3-yR3m%9%Y_U^&qK+KL@!o^yTQCL>p325z(+6-Ha6
zlv9wDdg|Z8rA948_qDm;pgiOBCAg2s9)1>>rU~4nTcFi9f3V%btFEVy*s9UpHU!Q*
z10~X!lJgfBogTguyOtr5R}c-Y<z*@J6l<|Sn@@OELv@et6<V`o&YZeE81S=f2FjNw
z-&&JMmS?}wY=Mr>)xm&b&&R=&7aFPE%Hkq#s%&ulk&X?sKi%DSiP;kkBcsx-b?bTR
z-8*xcJG)=F33C$yvj}5w4jR6hwtGCfVe$<KSB}A=+fi{XqdD;hYm4z}^v*?PylS;i
zTNS&m0Yvw{P(S;h4kmnhLM)uaiBM)it2AkzS(Dt1518kIFhVun&3sGp>WP0fuB&`e
zOfGuf@?De>_tUNcxf?;TKrdGpkWuGuhoWF!UK}bQB1qdDzyiLJV#o5Q$V1o`W$ZSM
zFpzkV+3hr9zmAOjZGT7!lcR|#P#wQl#22K%_f=38f7i~M+P)EFBDV(RQ*HKs52sVu
zZ)kYRc!hv*IW>8F^vPTG`HVP=C8k(1UJYQ>M}Ht8T`jLTD#e&Rb=2aa2@3}J7zyWF
zGp6k*2#7Tx!=Fr1j>;v~ouD@;zFZDC3DFvU!lL1`Ak(Re@YsVi2rDS=m-VR~OC>0U
z)iUA?9N_%=f{KiQJYcw*=HFsub!O#fZ}#*t1+i){v#Q=u<qOBB%AN5^Ci?|5pv;b9
z@o=RJ-9Mg*T}v{_urY+o4&j;J0dR2?XB|pdt0K1cz(I|qhByWAOlfs={~9~&!D8D+
zxOYu`=nl!X7+aM#;pZWX&_)RIvy?p#O*zm9YWmMORMFl)5QmL=O@i+!aKI+d`!|?{
z5KZq&Ant>xWB)U*NVg6VN@@*y>N#9?oCJW6k?WAhD=71^ISUc$F}N)2bakkW2_FmR
z=Xh{)7SLm<-?^hB*i;#(Wg;CRt&P6$Y<sk~1AKoi2kgN_tCk{}{kS@Eb1tt_rx^Gi
zpFRt;g17&rk03e!T9JdFu5lC6#Dp61{tT_X+t8)Ra}4SX7%gvsk(2Bu7RHvRjlfH5
z*+4`^EMeIz%o$Yx`_85*Ay?|)vLRQ2DXR4U2)u6sUU$x~<8@rj<?0XNk&Y_Txt>iC
zrh<bJzkmJkId>nx|AY6fBIKI)%H3HiT8WNnvx-3E;M5m)kXawBuq4tw($SX9#Z=I~
z3Ax)?3Vm=AxI`gu(md0XaMh$#)YPz23a|jZQ;7Y36)m=bN4{i1Q;Ikhj>C+&;GC}~
zx3<D0kF--xUI~bt0)hkl9uS@xT>woE1%b<;R@1N*xN1g=KbWE+c6knv)w+0W!({#(
zA&+yL-_R+Zq~g_^jvuG*Rb?`4Z}%xkSK5H+V|Vh+sh5g?ZpNj0&zslG-Ijyh78Fv(
zfAMm|<wB(C86Vok_lusl1~lKP55<l1#Frn)=k`0T-&;(!3CRz<RcVc-FV%MrGV4DD
z9JITKaDbWYPpc<w8<MYk|K79(G-T%!VZY#%$$JeGRKQj^0!9Kns!4W*v4_{xHm;x_
zYW#mdLH;Mn0}fmNF0!-_zi=iggLnyWoK645U@bd>;h8O`c61_bLsXR2l|6StnZ7o7
zkX{*xB@4L*Q#S<va&&Pr2%9wGE8@~=T*quVq1s~|(iJ|%1DjN3qbYWi=p&22V#N{r
zf!_tRZk$ToL0m67SQ3C#5Kx9=9eibvOwDYOJa9C{Au(`&f7?wwby8G$R<t|Mb^VBx
z%_#%f%!uiWsdXVw2c~P&S^K1ua<<b3)`jt|l7ubapQ!=<H=DzPXNtLsd%Gr2sw!X)
z!8sLGfK_2!(Qb!6e9(JvkK_L6gN1V!z9L8GmxJ%~Gd=Z9*Zgv~Rw~k*zHHbd6o#!`
zn-*B~kDIPf!=IEWQlW&cmC_{4A{`|{*M9{C)_NrTrG-8_f=R!xFvRMUDtv9<duF@I
z=uW~9i45ORz=?fW?zHmiQ04RHy5bSm`>LJgD`V|O=s1!sV@IWMZ`D`0PdM#g%f>`k
zg&w#8$(KA~%lJ-9QRwg;mgIfXHtHHTH+OF_S#C90EKP6qMN+4Ai-+Eup%&OMWT%7^
z2X&#yJqvybt?isFWVp!Yl|Nf@txH@uaTm`uBs=yMui%Dlm%VLsC1?Rs*XHWUXJJ`{
z`i_Az>)!_(BxR;eKDMVn<IY8PkB|nT*T;8lC`a{=e_9R@_xhSl3E=uRicg7ds0g!O
z=<FL%?N3i~T~kt}EUXCPmgpAxK#Aa-2l%plus*zjQC&f!@aL=!<$d>*$VRVUMfcEL
z@tO{Sn@(N}rt23&POubq%u>R4e6LX^S1P4Hs6Kl!<dPxKcNp{W2?&Fp3Pw&HD_lRr
z3Ym~x`&#Vy9~|Il8MX+raBHt7F?FiXBnZIbUvB@QezgiKlfx<u|Id9Q@NeIr|LZR#
zz!w(hUT897&b#m7<U(;%26p9(I99+f$K%a7a(CNl;m<c6U&4O>h;DxS<;}!u%w7oo
p50mr1`Z3ABK2cHay0d%e;90t^LT(Ncd``olt7UklNaHr@e*jQAue|^O

literal 0
HcmV?d00001


From 5f3f688b2a6df153160f6f915777376d6b8bfac7 Mon Sep 17 00:00:00 2001
From: xumia <xumia@microsoft.com>
Date: Tue, 13 Oct 2020 14:17:24 +0000
Subject: [PATCH 2/7] Add apt-tool approach

---
 doc/sonic-build-system/SONiC-Reproduceable-Build.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/sonic-build-system/SONiC-Reproduceable-Build.md b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
index f7b5d8cf35..52638ab365 100644
--- a/doc/sonic-build-system/SONiC-Reproduceable-Build.md
+++ b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
@@ -247,6 +247,7 @@ The steps to do the reproduceable build for root filesystem.
 
 4. build the root filesystem using the tarball with frozen debian package versions.
 
+Another approach for debian base image reproduceable build is by [APT-TOOL](https://github.com/pauldotknopf/apt-tool). It supports to freeze the versions, and use the versions in the subsequent builds.
 
 
 # Packages downloaded by wget/curl

From 420dab781bf2722d8e0b7e9009f4ca594610170d Mon Sep 17 00:00:00 2001
From: xumia <xumia@microsoft.com>
Date: Mon, 2 Nov 2020 15:09:42 +0000
Subject: [PATCH 3/7] Add Golang, component level build description

---
 .../SONiC-Reproduceable-Build.md              | 24 ++++++++-----------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/doc/sonic-build-system/SONiC-Reproduceable-Build.md b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
index 52638ab365..65eb453699 100644
--- a/doc/sonic-build-system/SONiC-Reproduceable-Build.md
+++ b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
@@ -36,7 +36,7 @@
 | 2020/09/21 | Xuhui, added Debian/pypi repo part |
 | 2020/09/22 | Qi Luo, review |
 | 2020/10/10 | Xuhui, debootstrap supports reproduceable build |
-
+| 2020/11/01 | Xuhui, add Golang, component level build description |
 
 
 # Overview
@@ -49,6 +49,10 @@ Some of the dependent packages can be controlled by its version for the reproduc
 
 When the reproduceable build is used, to catch up with the latest version of the dependent packages, sending pull request to update the versions is required, the automation Jenkins pipeline will be created to do it.
 
+The SONiC reproduceable build framework provides a way to lock the versions of the packages in scopes as above. It will lock the versions for all the docker images including the slave docker images, host images, and docker slave containers which are used to build the SONiC targets, such as deb files, python wheels, etc.
+
+It supports to control the version of the docker slave image, and also supports to control the slave container to build the targets including docker images, host images, debian packages, etc.
+
 In Scopes:
 
 1. Pypi packages installed by pip
@@ -65,7 +69,9 @@ Next scopes:
 
 1. Support on the old branches like 201911
 
+Out of Scopes:
 
+1. Golang reproduceable build, suggest to use go.mod to support reproduceable build, see https://github.com/golang/go/wiki/Modules#faqs--gomod-and-gosum.
 
 # Pypi packages
 
@@ -102,17 +108,7 @@ pyangbind==0.6.0
 
 pyasn1==0.4.2
 
-The version auto/manual upgrade configure example is as below, the automation pipeline will not upgrade the version of the Pypi package pyasn1, because the upgrade=manual is set in the configure file, the default value is upgrade=auto for the other packages.
-
-Py==1.7.0
-
-pyang==2.3.2
-
-pyangbind==0.6.0
-
-pyasn1==0.4.2,upgrade=manual
-
-To generate the initial version configuration file, we can manually start the docker containers and print versions by command &quot;pip freeze&quot;.
+The current versions of the images will be dumped to the folder target/versions during the build. The initial/upgraded version configuration file can be generated based on it.
 
 ## Pypi Version Control and Check
 
@@ -123,9 +119,9 @@ In the Makefile or Dockerfile, if the version is specified for a Pypi package, i
 | Yes | No | Success |
 | No | Yes | Success |
 | No | No | Failed for version not specified |
-| Yes | Yes | Failed if different version |
+| Yes | Yes | Failed if different versions |
 
-The Pypi version conguration file will be used as a pip constraints file, some of the flags no used, like upgrade=manual, will be removed when used by pip command. see [pip constraints-files user guide](https://pip.pypa.io/en/stable/user_guide/#constraints-files). It will control the installing packages and the referenced packages.
+The Pypi version configuration file will be used as a pip constraints file, some of the flags no used, like upgrade=manual, will be removed when used by pip command. see [pip constraints-files user guide](https://pip.pypa.io/en/stable/user_guide/#constraints-files). It will control the installing packages and the referenced packages.
 
 The pip/pip3 command in Makefile and Dockerfile will be hooked with a new one, if version conflict, the build will break. It only installs the version of the package specified in the configuration file by adding the constraints option.
 

From c7172baec0a6a239f405d815d17d67efdde195dd Mon Sep 17 00:00:00 2001
From: xumia <xumia@microsoft.com>
Date: Tue, 3 Nov 2020 08:27:14 +0000
Subject: [PATCH 4/7] Add more specific feature description

---
 doc/sonic-build-system/SONiC-Reproduceable-Build.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/sonic-build-system/SONiC-Reproduceable-Build.md b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
index 65eb453699..8ef48d35bb 100644
--- a/doc/sonic-build-system/SONiC-Reproduceable-Build.md
+++ b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
@@ -51,7 +51,13 @@ When the reproduceable build is used, to catch up with the latest version of the
 
 The SONiC reproduceable build framework provides a way to lock the versions of the packages in scopes as above. It will lock the versions for all the docker images including the slave docker images, host images, and docker slave containers which are used to build the SONiC targets, such as deb files, python wheels, etc.
 
-It supports to control the version of the docker slave image, and also supports to control the slave container to build the targets including docker images, host images, debian packages, etc.
+It supports to control the version of the docker slave image, and also supports to control the slave containers to build the targets including docker images, host images, debian packages, etc.
+
+It supports to enable some of the components. For instance, only enable the version control for py2 and py3, while using the latest versions of the debian packages, web packages, etc.
+
+It supports to only enable the features on some of the release branches, while using the latest versions of the packages in master branch. And the default feature flag can be overwritten by the build command line parameter.
+
+It supports to upgrade the versions automatically by Jenkins jobs, and developers can freeze the versions files on the dev box and commit the version changes.
 
 In Scopes:
 

From e410945b1f3cd15c41fd76b792f211a4b1b465ba Mon Sep 17 00:00:00 2001
From: xumia <xumia@microsoft.com>
Date: Wed, 25 Nov 2020 07:12:43 +0000
Subject: [PATCH 5/7] Add Q&A and simplify web package process

---
 .../SONiC-Reproduceable-Build.md              | 33 +++++++++++++++----
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/doc/sonic-build-system/SONiC-Reproduceable-Build.md b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
index 8ef48d35bb..1adff00c38 100644
--- a/doc/sonic-build-system/SONiC-Reproduceable-Build.md
+++ b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
@@ -37,6 +37,7 @@
 | 2020/09/22 | Qi Luo, review |
 | 2020/10/10 | Xuhui, debootstrap supports reproduceable build |
 | 2020/11/01 | Xuhui, add Golang, component level build description |
+| 2020/11/25 | Xuhui, add Q&A, and simplify web package process |
 
 
 # Overview
@@ -51,13 +52,7 @@ When the reproduceable build is used, to catch up with the latest version of the
 
 The SONiC reproduceable build framework provides a way to lock the versions of the packages in scopes as above. It will lock the versions for all the docker images including the slave docker images, host images, and docker slave containers which are used to build the SONiC targets, such as deb files, python wheels, etc.
 
-It supports to control the version of the docker slave image, and also supports to control the slave containers to build the targets including docker images, host images, debian packages, etc.
-
-It supports to enable some of the components. For instance, only enable the version control for py2 and py3, while using the latest versions of the debian packages, web packages, etc.
-
-It supports to only enable the features on some of the release branches, while using the latest versions of the packages in master branch. And the default feature flag can be overwritten by the build command line parameter.
-
-It supports to upgrade the versions automatically by Jenkins jobs, and developers can freeze the versions files on the dev box and commit the version changes.
+It supports to control the version of the docker slave image, and also supports to control the slave container to build the targets including docker images, host images, debian packages, etc.
 
 In Scopes:
 
@@ -458,3 +453,27 @@ We do not manage the git repositories, if a git commit used by SONiC is removed,
 
 
 
+# Q&A
+
+1. Is the reproduceable build feature will be enabled in all branches?
+
+   It will be only enabled on the release branches, master branch will not be enabled in the short term.
+
+2. How a developer adds version configuration for new packages in a docker image?
+
+   The developer should build the docker image or any other targets, the referred packages will be collected into target folder automatically during the build, the developer can run a command "make freeze" to freeze the version configuration without manual effort to manage it, then checks in the version changes by "git add files/build/versions" together with the code change.
+
+3. How a developer upgrades the packages to latest versions?
+
+   The developer can upgrade the packages for one target or multiple targets, and can upgrades only one component or multiple components. There are two steps to do it, the first step is to make the targets with version version control option "make SONIC_VERSION_CONTROL_COMPONENTS=none \<targets>",  the second step is to freeze the version by command "make freeze" the same as mentioned above. See more options in "rule/config".
+
+4. How a developer merges code across branches? How to resolve the version conflict?
+
+   The process to merge version files is similar to merge code, we need to resolve the version conflict. To use the higher version or lower version depended on the usage scenarios, we would like to use to latest version better than the old one, but for some release branches, keep older version may be better.
+
+5. How to migrate from one debian distribution to anther one?
+
+   In the version configuration files, different version files are used in different distributions if the version files are relative the distribution. For example, the version file name versions-deb-buster is used for debian packages in buster distribution. But for python packages, we use version-py2 and version-py3 by default, it is not relative to distribution.
+
+   When migrating from stretch to buster, we may need to add additional version configuration for debian packages, but not require to add version files for python packages. See Q&A #2 for adding additional version configuration and #4 for version conflict.
+

From c8695d0bd2332592c8b519e523aa33182f3437b0 Mon Sep 17 00:00:00 2001
From: xumia <xumia@microsoft.com>
Date: Wed, 23 Feb 2022 02:43:56 +0000
Subject: [PATCH 6/7] Update scopes

---
 doc/sonic-build-system/SONiC-Reproduceable-Build.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/doc/sonic-build-system/SONiC-Reproduceable-Build.md b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
index 1adff00c38..ac94417271 100644
--- a/doc/sonic-build-system/SONiC-Reproduceable-Build.md
+++ b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
@@ -38,6 +38,7 @@
 | 2020/10/10 | Xuhui, debootstrap supports reproduceable build |
 | 2020/11/01 | Xuhui, add Golang, component level build description |
 | 2020/11/25 | Xuhui, add Q&A, and simplify web package process |
+| 2022/02/23 | Xuhui, update scopes |
 
 
 # Overview
@@ -61,10 +62,10 @@ In Scopes:
 3. Host image created by debootstrap
 4. Web packages downloaded by wget/curl
 5. Debian package mirror
-6. Pypi package mirror
-7. Docker base images
-8. Source code by git, full commit id
-9. Arch: amd64, arm64, armhf
+6. Docker base images
+7. Source code by git, full commit id
+8. Arch: amd64, arm64, armhf
+9. Branches: 202012/202106/202111, after 202012
 
 Next scopes:
 
@@ -73,6 +74,7 @@ Next scopes:
 Out of Scopes:
 
 1. Golang reproduceable build, suggest to use go.mod to support reproduceable build, see https://github.com/golang/go/wiki/Modules#faqs--gomod-and-gosum.
+2. Pypi package mirror (Multiple versions supported)
 
 # Pypi packages
 

From 2794527f8e169f9caca9d9dea7d1f50840546e4d Mon Sep 17 00:00:00 2001
From: xumia <xumia@microsoft.com>
Date: Mon, 17 Oct 2022 05:26:00 +0000
Subject: [PATCH 7/7] Add explicit note for file hash method

---
 .../SONiC-Reproduceable-Build.md              | 959 +++++++++---------
 1 file changed, 478 insertions(+), 481 deletions(-)

diff --git a/doc/sonic-build-system/SONiC-Reproduceable-Build.md b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
index ac94417271..0ff8371f93 100644
--- a/doc/sonic-build-system/SONiC-Reproduceable-Build.md
+++ b/doc/sonic-build-system/SONiC-Reproduceable-Build.md
@@ -1,481 +1,478 @@
-
-
-# SONiC Reproduceable Build
-
-
-
-# Table of Contents
-
-- [Revision History](#revision-history)
-- [Overview](#overview)
-- [Pypi packages](#pypi-packages)
-  * [Pypi Version Configuration](#pypi-version-configuration)
-  * [Pypi Version Control and Check](#pypi-version-control-and-check)
-  * [Pypi Version Upgrade Automation](#pypi-version-upgrade-automation)
-  * [Work Items](#work-items)
-- [Debian Packages](#debian-packages)
-  * [Debian Version Configuration](#debian-version-configuration)
-  * [Debian Packages Version Control and Check](#debian-packages-version-control-and-check)
-  * [Work Items](#work-items-1)
-- [Debootstrap](#debootstrap)
-- [Packages downloaded by wget/curl](#packages-downloaded-by-wget-curl)
-  * [Web Package Version Configuration](#web-package-version-configuration)
-  * [File Storage](#file-storage)
-  * [The process to use a new web package](#the-process-to-use-a-new-web-package)
-  * [Work Items](#work-items-2)
-- [Debian Package Mirror](#debian-package-mirror)
-  * [Debian Package Mirror managed by Aptly](#debian-package-mirror-managed-by-aptly)
-- [Pypi Package Mirror](#pypi-package-mirror)
-- [Docker Base Images](#docker-base-images)
-- [Git Repository](#git-repository)
-
-# Revision History
-|Date|Description|
-| :------- | :------- |
-| 2020/08/21 | Xuhui Miao, initial version |
-| 2020/09/21 | Xuhui, added Debian/pypi repo part |
-| 2020/09/22 | Qi Luo, review |
-| 2020/10/10 | Xuhui, debootstrap supports reproduceable build |
-| 2020/11/01 | Xuhui, add Golang, component level build description |
-| 2020/11/25 | Xuhui, add Q&A, and simplify web package process |
-| 2022/02/23 | Xuhui, update scopes |
-
-
-# Overview
-
-There are many SONiC failure builds caused by the external dependencies changed. It can be built in the first time and might be failed in the next build, although there are no code changes. SONiC reproducible build is to make the build stable and reduce the failure rate, build on the same git commit, expect the same result.
-
-The external dependencies contain pypi packages installed by pip/pip3, Debian packages installed by apt-get, wget/curl, debootstrap, docker base images, source code by git.
-
-Some of the dependent packages can be controlled by its version for the reproduceable build, such as pypi packages, Debian package. There is an assumption that the content of the packages should be the same for the packages with the same version. The other packages do not have a specified version, when the remote package changed, it cannot be detected by its URL, such as wget/curl. The file storage will be introduced to solve the package without version issue.
-
-When the reproduceable build is used, to catch up with the latest version of the dependent packages, sending pull request to update the versions is required, the automation Jenkins pipeline will be created to do it.
-
-The SONiC reproduceable build framework provides a way to lock the versions of the packages in scopes as above. It will lock the versions for all the docker images including the slave docker images, host images, and docker slave containers which are used to build the SONiC targets, such as deb files, python wheels, etc.
-
-It supports to control the version of the docker slave image, and also supports to control the slave container to build the targets including docker images, host images, debian packages, etc.
-
-In Scopes:
-
-1. Pypi packages installed by pip
-2. Debian packages installed by apt-get
-3. Host image created by debootstrap
-4. Web packages downloaded by wget/curl
-5. Debian package mirror
-6. Docker base images
-7. Source code by git, full commit id
-8. Arch: amd64, arm64, armhf
-9. Branches: 202012/202106/202111, after 202012
-
-Next scopes:
-
-1. Support on the old branches like 201911
-
-Out of Scopes:
-
-1. Golang reproduceable build, suggest to use go.mod to support reproduceable build, see https://github.com/golang/go/wiki/Modules#faqs--gomod-and-gosum.
-2. Pypi package mirror (Multiple versions supported)
-
-# Pypi packages
-
-## Pypi Version Configuration
-
-The default version configuration files in &quot;files/build/versions/&quot; for Pypi packages.
-
-| File Name | Description |
-| --- | --- |
-| versions-py2 | The default versions for python2 |
-| versions-py3 | The default versions for python3 |
-
-The content of the version file versions-py2 example:
-
-Py==1.7.0
-
-pyang==2.1.1
-
-pyangbind==0.6.0
-
-pyasn1==0.4.2
-
-The versions can be overridden by the version configuration file with the same file name in the Dockerfile folder, for example, the content of the version file dockers/docker-base-buster/versions-py2:
-
-**pyang==2.3.2**
-
-When building the docker-base-buster, the expected version constraints are as below:
-
-Py==1.7.0
-
-**pyang==2.3.2**
-
-pyangbind==0.6.0
-
-pyasn1==0.4.2
-
-The current versions of the images will be dumped to the folder target/versions during the build. The initial/upgraded version configuration file can be generated based on it.
-
-## Pypi Version Control and Check
-
-In the Makefile or Dockerfile, if the version is specified for a Pypi package, it should be the same as the version in the constraints file. The build will be failed with version conflict.
-
-| Version in config file | Version in Makefile/Dockerfile | Check Result |
-| --- | --- | --- |
-| Yes | No | Success |
-| No | Yes | Success |
-| No | No | Failed for version not specified |
-| Yes | Yes | Failed if different versions |
-
-The Pypi version configuration file will be used as a pip constraints file, some of the flags no used, like upgrade=manual, will be removed when used by pip command. see [pip constraints-files user guide](https://pip.pypa.io/en/stable/user_guide/#constraints-files). It will control the installing packages and the referenced packages.
-
-The pip/pip3 command in Makefile and Dockerfile will be hooked with a new one, if version conflict, the build will break. It only installs the version of the package specified in the configuration file by adding the constraints option.
-
-## Pypi Version Upgrade Automation
-
-Developers can change the Pypi package version manually, and the Jenkins job will be provided to upgrade the Pypi package version automatically. It will upgrade all the Pypi packages listed in the Pypi version files, except the packages with a flag &quot;upgrade=manual&quot; in the configuration file.
-
-The data flow diagram of version upgrade is as below:
-
-![](images/pypi-version-upgrade-automation.png)
-
-## Work Items
-
-1. Generate the initial version files for pip/pip3.
-2. Add the new pip/pip3 command, verify the version and use the version constraints.
-3. Enable the new commands in Dockerfile files and Makefile files.
-4. Implement the Pypi version upgrade automation Jenkins pipeline.
-
-# Debian Packages
-
-## Debian Version Configuration
-
-The default version source files in files/build/versions/ for Debian packages.
-
-| File Name | Description |
-| --- | --- |
-| versions-deb-jessie | The versions for jessie |
-| versions-deb-stretch | The versions for stretch |
-| versions-deb-buster | The versions for buster |
-
-Similar to Pypi packages, the package version can be overridden per docker image. The different part is that the versions of the debian packages are relative to the debian release, in each release, such as the stretch and buster, the package versions are not the same, so we define a version configuration file for each debian release. For a specified docker image, such as docker-base-buster, etc, we can use dockers/docker-base-buster/versions-deb to override the version configuration file.
-
-## Debian Packages Version Control and Check
-
-Like Pypi Version control and check, if the build version is conflict with the version configuration, the build will be failed. The apt-get will be replaced with a bash script to check the version conflict.
-
-The version control is based on the [APT Preferences](https://manpages.debian.org/buster/apt/apt_preferences.5.en.html). The high priority of the APT preference can force to install a specified version of a package, even downgrade the package (priority >= 1000).
-
-Example setting for sudo:
-
-_Package: tzdata_
-
-_Pin: version 2019c-0+deb10u1_
-
-_Pin-Priority: 990_
-
-When installing the package tzdata, if the docker base has installed 2020a-0+deb10u1, it will skip to install the lower version 1.8.21p2-3ubuntu1 of the package. If the version is not installed, then prefer to install 2019c-0+deb10u1.
-
-The version configuration file not only controls the packages installing directly by &quot;apt-get install&quot; command, but also controls the dependent packages.
-
-When installing the package ntp, the package is depending on the package tzdata, if the tzdata not install the version 2019c-0+deb10u1 will be installed, even there is a new version 2020a-c+deb10u1.
-
-Sample script to verify it:
-
-_# apt-cache madison tzdata_
-
-_tzdata | 2020a-0+deb10u1 | http://deb.debian.org/debian buster/main amd64 Packages_
-
-_tzdata | 2019c-0+deb10u1 | http://deb.debian.org/debian buster-updates/main amd64 Packages_
-
-_# apt-get remove tzdata_
-
-_# apt-get install ntp_
-
-_# dpkg -l tzdata | grep tzdata_
-
-_ii tzdata 2019c-0+deb10u1 all time zone and daylight-saving time data_
-
-If you change the Pin-Priority to 100, then the latest version will be installed.
-
-## Work Items
-
-1. Generate the initial version files for Debian packages.
-
-2. Add the new apt-get command, verify the version and set the version preferences.
-
-3. Enable the new commands in Dockerfile files and Makefile files.
-
-4. Implement the Debian packages version upgrade automation Jenkins pipeline.
-
-   
-
-# Debootstrap
-
-Currently, it will call debootstrap command in each build to create a new debian base host image, the image will automatically use the latest debian packages. It is not a reproduceable build.
-
-debootstrap --variant=minbase --arch amd64 buster rootfs
-
-There are 4 steps in the debootstrap command normally, finding debian packages, downloading the packages, the first stage, and the second stage. The debootstrap supports to only run the first two steps to generate a tarball in tgz format, and supports to use the tarball to generate the file system without downloading the packages again.
-
-debootstrap --variant=minbase --arch amd64 --unpack-tarball=tarball.tgz buster rootfs
-
-The --unpack-tarball will only do the last two steps, without finding/downloading the debian packages in buster, See [debootstrap git commit](https://salsa.debian.org/installer-team/debootstrap/-/commit/25d80b10319ed292827d016bfea6edcdb51b9b52)
-
-The tarball can be generated by the following command:
-
-debootstrap --variant=minbase --arch amd64 --make-tarball=tarball.tgz buster rootfs
-
-We can generate the tarball and replace the all packages with the right versions, or generate the tarball ourselves to support the reproduceable build.
-
-The tarball format is as below:
-
-| File                    | Description                                          |
-| :---------------------- | :--------------------------------------------------- |
-| /debootstrap/base       | The base debian packages                             |
-| /debootstrap/required   | The required debian packages                         |
-| /debootstrap/debpaths   | The debian package name to package real path mapping |
-| /var/cache/apt/archives | Contains the debian packages in the folder           |
-
-The steps to do the reproduceable build for root filesystem.
-
-1. Build the normal root filesystem
-
-   debootstrap --variant=minbase --arch amd64 buster rootfs
-
-2. Freeze the versions, the version configuration format, see [here](#Pypi-Version-Configuration)
-
-3. Download the debian packages based on the frozen versions, and make the debootstrap tarball
-
-4. build the root filesystem using the tarball with frozen debian package versions.
-
-Another approach for debian base image reproduceable build is by [APT-TOOL](https://github.com/pauldotknopf/apt-tool). It supports to freeze the versions, and use the versions in the subsequent builds.
-
-
-# Packages downloaded by wget/curl
-
-The web site may be not stable, and the web packages may be replaced to another one unexpectedly, so we do not want to depend on the web packages at a remote web site. Although there is no version for a package downloaded by wget/curl, the hash value of the package file can be used as the version value. Like Pypi packages and the Debian packages, there is a configuration file for wget/curl. For the package with the same URL, it is expected the same binary will be retrieved when using wget/curl.
-
-Requirements:
-
-1. Use the same web package, even the remote web package changed.
-2. Improve reliability, the build does not be impacted when the remote web site is not available.
-3. Keep update, automatically send a version change Pull Request to use the latest web package. [Low Priority]
-
-## Web Package Version Configuration
-
-The version file in files/build/versions/ for web packages.
-
-| File Name | Description |
-| --- | --- |
-| versions-web | The versions for packages downloaded from web |
-
-Like pip or debian package version configuration, the version format for web package is as below:
-
-<Package URL> **==** <hash value>;
-
-An example as below:
-
-https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz== ebef065e4d35572af5b03e2be957a9c6c5063b38
-
-If any new remote web package is used, it should be added in the version configuration file, or the build will be failed, so as to the existing web packages.
-
-## File Storage
-
-Before a web package is used in the SONiC repository, the package should be uploaded to a trusted file storage. The SONiC build only depends on the trusted file storage, not depend on the remote web site.
-
-The file name format in the file storage is as below:
-
-<package name>-<sha1sum>
-
-For an example: go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38
-
-For the same web package, it supports to have multiple versions of the file in the file storage, for example, go1.14.2.linux-amd64.tar.gz-b73d6366c0bce441d20138c150e2ddcdf406e654 (fake hash value), but for the same commit, the same version is used.
-
-There are multiple solutions for the file storage, such as FTP server, NFS server, Http Server, we do not focus on how to implement the file storage. In this document, we use Azure Storage Blob Container as the file storage. When you wget the web package [https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz](https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz), it will actually download package from the URL like [https://sonicstorage.blob.core.windows.net/public/go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38](https://sonicstorage.blob.core.windows.net/public/go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38) during the build, in this case, the storage account URL is [https://sonicstorage.blob.core.windows.net](https://sonicstorage.blob.core.windows.net/), and the container name is public. Some of the packages are already in the same storage account, it is not necessary to add to the version in the configuration file.
-
-## The process to use a new web package
-
-Option A: Manually upload package (only for file storage admin)
-
-1. Manually upload the web package to the file storage.
-2. Change the web package version configuration file to register the package, and use the wget/curl to download the package in your build script.
-
-Option B: Automatically upload package (for all)
-
-![](images/upload-package-automation.png)
-
-1. Change the web package version configuration file to register the package.
-
-Developer sends a Pull Request to register the web package, the web package URL and the package hash value (sha1sum) should be provided. The PR should be only one-line change in files/build/versions/versions-web, see [Web Package Version Configuration](#_Web_Package_Version).
-
-1. Upload the web package to the file storage.
-
-When the Pull Request is complete, and the commit is merged to the master branch, a background task is triggered to download the package, check the hash value, and upload to the file storage.
-
-1. Use the web package in your build script.
-
-Expect the step 2 is complete automatically. When the step 2 is complete, the web package is ready to use.
-
-## Work Items
-
-1. Generate the initial version files for web packages.
-2. Add the new wget/curl command, verify the hash value.
-3. Enable the new commands in Dockerfile files and Makefile files.
-4. Implement the web packages uploading to file storage automation Jenkins pipeline.
-
-# Debian Package Mirror
-
-Debian official mirror only supports a single version of each binary package in any given release by design. For reproduceable build, it is required to manage previous versions of Debian packages. The designed Debian package mirror is to guarantee that all the versions of Debian packages used by sonic-imagebuild exist in the mirror.
-
-The current design of the Debian package mirror is managed by [Aptly](https://www.aptly.info/). The [Azure Storage Static Website](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website) is used to publish the mirror. The [Azure Content Delivery Network (CDN)](https://docs.microsoft.com/en-us/azure/cdn/cdn-overview) integrated with Azure Storage Account is enabled to cache content from Azure Storage. To improve availability and performance, [Azure Traffic Manager](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview) that supports failover across multiple Azure CDN endpoints, is exposed to users.
-
-![](images/azure-debian-mirror.png)
-
-
-
-## Debian Package Mirror managed by Aptly
-
-Steps to publish a Debian package mirror by Aptly:
-
-1. Create a mirror pool and update the pool, example commands as below:
-
-   _aptly mirror create debian-buster-main http://deb.debian.org/debian buster main_
-
-   _aptly mirror update debian-buster-main_
-
-2. Create a repository and import the packages from mirror pool, example commands as below:
-
-   _aptly repo create repo-debian-buster-main_
-
-   _aptly repo import debian-buster-main repo-debian-buster-main_
-
-3. Publish a repository
-
-   _aptly publish repo -distribution=buster repo-debian-buster_
-
-Steps to update a Debian package mirror by Aptly:
-
-1. Update the mirror pool
-
-   _aptly mirror update debian-buster-main_
-
-2. Import the repository
-
-   _aptly repo import debian-buster-main repo-debian-buster-main_
-
-3. Update the publish
-
-   _aptly publish update buster_
-
-To Publish the mirror to Azure Storage, [Azure Blob Fuse](https://github.com/Azure/azure-storage-fuse) supports to mount the Azure Blob Container to the filesystem, it makes easy to publish the Debian package mirror. The Azure Storage Account, storage container name and the Storage Account Assess Key or Storage SAS Token should be provided. The publish settings of aptly are as below:
-
-_&quot;FileSystemPublishEndpoints&quot;: {_
-
-_&quot;web&quot;: {_
-
-_&quot;rootDir&quot;: &quot; __/data/aptly/debian/web__&quot;,_
-
-_&quot;linkMethod&quot;: &quot;copy&quot;,_
-
-_&quot;verifyMethod&quot;:&quot;md5&quot;_
-
-_},_
-
-…
-
-_}_
-
-The rootDir above can be a blob fuse mount point. It will publish to Azure Storage directly.
-
-It is not guaranteed that all the Debian packages are in the mirror, if the size of the mirror glows too fast, we will remove some of the old versions of the packages which are not used by SONiC.
-
-# Pypi Package Mirror
-
-The Pypi official mirror supports multiple versions of each binary package. It is not required to have an additional mirror for the reproduceable build. Not like Debian package mirror, the designed Pypi mirror only publishes the packages used by SONiC image build, the other packages will not be published. Because the size of the full Pypi package mirror is up to 6 trillion bytes now, it is really hard to manage.
-
-The design of the Pypi package mirror is only for monitoring and alerting. When a specified version of the package is used in SONiC, we can expect the package should never be changed. If it was changed (the same package name and version, but different binary), we will be notified.
-
-If a package used by SONiC is removed from the Pypi official mirror accidently, the SONiC build will be failed. One of the solution is to add the extra URLs for pip command, see [here](https://pip.pypa.io/en/stable/reference/pip_install/#install-extra-index-url). But the risk should be very low, we keep to update the version to the latest one by design. It should not be the high priority task to do it.
-
-To publish only the packages used by SONiC, the used packages and versions should be collected by SONiC build. The input file should be like this as below:
-
-_Automat==0.6.0_
-
-_Babel==2.3.4_
-
-_Babel==2.6.0_
-
-_Flask==1.1.2_
-
-_Jinja2==2.10_
-
-_Jinja2==2.11.2_
-
-_Jinja2==2.7.3_
-
-For one package, it may contain several versions to publish. The input file schema is the same as the Pypi version control file.
-
-The [python-pypi-mirror](https://pypi.org/project/python-pypi-mirror/) is used to publish the Pypi mirror to [Azure Storage Static Website](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website), likes Debian package mirror, it supports CDN and traffic manager.
-
-# Docker Base Images
-
-In the original design, the base images of the SONiC Dockerfile are based on image tag, for instance, in the Dockerfile sonic-slave-buster/Dockerfile, the base image is debian:buster, we can find &quot;From debian:buster&quot; in the file. When a new debian buster image is pushed in the docker registry, the debian:buster will refer to the new one, it is not reproduceable. To make it support reproduceable, we can change to refer to the digest hash value of the image. The docker base images that are based on the image tag will be changed to base on the image digest to support reproduceable build. The Dockerfile as below is based on the image tag:
-
-_From <image>:<tag>_
-
-Example:
-
-_From debian:buster_
-
-Change to:
-
-_From <image>:<digest>_
-
-Example:
-
-_From debian@sha256:439a6bae1ef351ba9308fc9a5e69ff7754c14516f6be8ca26975fb564cb7fb76_
-
-The docker file will be changed to use the right digest during the build based on a version control file in file/build/versions/versions-docker-base, the content of the file is as below:
-
-debian:buster==_sha256:439a6bae1ef351ba9308fc9a5e69ff7754c14516f6be8ca26975fb564cb7fb76_
-
-debian:stretch==_sha256:335ecf9e8d9b2206c2e9e7f8b09547faa9f868e694f7c5be14c38be15ea8a7cf_
-
-debian:jessie==_sha256:8fc7649643ca1acd3940706613ea7b170762cfce6e7955a6afb387aa40e9f9ea_
-
-# Git Repository
-
-The SONiC build will download source code from remote repository during the build. For instance, when building sflow, it will download source code by command: git clone [https://github.com/sflow/sflowtool](https://github.com/sflow/sflowtool). It will download the latest source code, not reproduceable.
-
-A version control file is introduced to control which commit of the git repository will be download when building SONiC image. The schema of the version control file is same as wget/curl. The content of the control file likes as below:
-
-[https://github.com/sflow/sflowtool==1e42bc69fab8a8bc58b04a0ff9ad2c366eef6121](https://github.com/sflow/sflowtool==1e42bc69fab8a8bc58b04a0ff9ad2c366eef6121)
-
-It will run &quot;git reset <commit id> --hard&quot; after the &quot;git clone&quot; command.
-
-We do not manage the git repositories, if a git commit used by SONiC is removed, then the build will be broken.
-
-
-
-# Q&A
-
-1. Is the reproduceable build feature will be enabled in all branches?
-
-   It will be only enabled on the release branches, master branch will not be enabled in the short term.
-
-2. How a developer adds version configuration for new packages in a docker image?
-
-   The developer should build the docker image or any other targets, the referred packages will be collected into target folder automatically during the build, the developer can run a command "make freeze" to freeze the version configuration without manual effort to manage it, then checks in the version changes by "git add files/build/versions" together with the code change.
-
-3. How a developer upgrades the packages to latest versions?
-
-   The developer can upgrade the packages for one target or multiple targets, and can upgrades only one component or multiple components. There are two steps to do it, the first step is to make the targets with version version control option "make SONIC_VERSION_CONTROL_COMPONENTS=none \<targets>",  the second step is to freeze the version by command "make freeze" the same as mentioned above. See more options in "rule/config".
-
-4. How a developer merges code across branches? How to resolve the version conflict?
-
-   The process to merge version files is similar to merge code, we need to resolve the version conflict. To use the higher version or lower version depended on the usage scenarios, we would like to use to latest version better than the old one, but for some release branches, keep older version may be better.
-
-5. How to migrate from one debian distribution to anther one?
-
-   In the version configuration files, different version files are used in different distributions if the version files are relative the distribution. For example, the version file name versions-deb-buster is used for debian packages in buster distribution. But for python packages, we use version-py2 and version-py3 by default, it is not relative to distribution.
-
-   When migrating from stretch to buster, we may need to add additional version configuration for debian packages, but not require to add version files for python packages. See Q&A #2 for adding additional version configuration and #4 for version conflict.
-
+# SONiC Reproduceable Build
+
+# Table of Contents
+
+- [Revision History](#revision-history)
+- [Overview](#overview)
+- [Pypi packages](#pypi-packages)
+  * [Pypi Version Configuration](#pypi-version-configuration)
+  * [Pypi Version Control and Check](#pypi-version-control-and-check)
+  * [Pypi Version Upgrade Automation](#pypi-version-upgrade-automation)
+  * [Work Items](#work-items)
+- [Debian Packages](#debian-packages)
+  * [Debian Version Configuration](#debian-version-configuration)
+  * [Debian Packages Version Control and Check](#debian-packages-version-control-and-check)
+  * [Work Items](#work-items-1)
+- [Debootstrap](#debootstrap)
+- [Packages downloaded by wget/curl](#packages-downloaded-by-wget-curl)
+  * [Web Package Version Configuration](#web-package-version-configuration)
+  * [File Storage](#file-storage)
+  * [The process to use a new web package](#the-process-to-use-a-new-web-package)
+  * [Work Items](#work-items-2)
+- [Debian Package Mirror](#debian-package-mirror)
+  * [Debian Package Mirror managed by Aptly](#debian-package-mirror-managed-by-aptly)
+- [Pypi Package Mirror](#pypi-package-mirror)
+- [Docker Base Images](#docker-base-images)
+- [Git Repository](#git-repository)
+
+# Revision History
+|Date|Description|
+| :------- | :------- |
+| 2020/08/21 | Xuhui Miao, initial version |
+| 2020/09/21 | Xuhui, added Debian/pypi repo part |
+| 2020/09/22 | Qi Luo, review |
+| 2020/10/10 | Xuhui, debootstrap supports reproduceable build |
+| 2020/11/01 | Xuhui, add Golang, component level build description |
+| 2020/11/25 | Xuhui, add Q&A, and simplify web package process |
+| 2022/02/23 | Xuhui, update scopes |
+
+
+# Overview
+
+There are many SONiC failure builds caused by the external dependencies changed. It can be built in the first time and might be failed in the next build, although there are no code changes. SONiC reproducible build is to make the build stable and reduce the failure rate, build on the same git commit, expect the same result.
+
+The external dependencies contain pypi packages installed by pip/pip3, Debian packages installed by apt-get, wget/curl, debootstrap, docker base images, source code by git.
+
+Some of the dependent packages can be controlled by its version for the reproduceable build, such as pypi packages, Debian package. There is an assumption that the content of the packages should be the same for the packages with the same version. The other packages do not have a specified version, when the remote package changed, it cannot be detected by its URL, such as wget/curl. The file storage will be introduced to solve the package without version issue.
+
+When the reproduceable build is used, to catch up with the latest version of the dependent packages, sending pull request to update the versions is required, the automation Jenkins pipeline will be created to do it.
+
+The SONiC reproduceable build framework provides a way to lock the versions of the packages in scopes as above. It will lock the versions for all the docker images including the slave docker images, host images, and docker slave containers which are used to build the SONiC targets, such as deb files, python wheels, etc.
+
+It supports to control the version of the docker slave image, and also supports to control the slave container to build the targets including docker images, host images, debian packages, etc.
+
+In Scopes:
+
+1. Pypi packages installed by pip
+2. Debian packages installed by apt-get
+3. Host image created by debootstrap
+4. Web packages downloaded by wget/curl
+5. Debian package mirror
+6. Docker base images
+7. Source code by git, full commit id
+8. Arch: amd64, arm64, armhf
+9. Branches: 202012/202106/202111, after 202012
+
+Next scopes:
+
+1. Support on the old branches like 201911
+
+Out of Scopes:
+
+1. Golang reproduceable build, suggest to use go.mod to support reproduceable build, see https://github.com/golang/go/wiki/Modules#faqs--gomod-and-gosum.
+2. Pypi package mirror (Multiple versions supported)
+
+# Pypi packages
+
+## Pypi Version Configuration
+
+The default version configuration files in &quot;files/build/versions/&quot; for Pypi packages.
+
+| File Name | Description |
+| --- | --- |
+| versions-py2 | The default versions for python2 |
+| versions-py3 | The default versions for python3 |
+
+The content of the version file versions-py2 example:
+
+Py==1.7.0
+
+pyang==2.1.1
+
+pyangbind==0.6.0
+
+pyasn1==0.4.2
+
+The versions can be overridden by the version configuration file with the same file name in the Dockerfile folder, for example, the content of the version file dockers/docker-base-buster/versions-py2:
+
+**pyang==2.3.2**
+
+When building the docker-base-buster, the expected version constraints are as below:
+
+Py==1.7.0
+
+**pyang==2.3.2**
+
+pyangbind==0.6.0
+
+pyasn1==0.4.2
+
+The current versions of the images will be dumped to the folder target/versions during the build. The initial/upgraded version configuration file can be generated based on it.
+
+## Pypi Version Control and Check
+
+In the Makefile or Dockerfile, if the version is specified for a Pypi package, it should be the same as the version in the constraints file. The build will be failed with version conflict.
+
+| Version in config file | Version in Makefile/Dockerfile | Check Result |
+| --- | --- | --- |
+| Yes | No | Success |
+| No | Yes | Success |
+| No | No | Failed for version not specified |
+| Yes | Yes | Failed if different versions |
+
+The Pypi version configuration file will be used as a pip constraints file, some of the flags no used, like upgrade=manual, will be removed when used by pip command. see [pip constraints-files user guide](https://pip.pypa.io/en/stable/user_guide/#constraints-files). It will control the installing packages and the referenced packages.
+
+The pip/pip3 command in Makefile and Dockerfile will be hooked with a new one, if version conflict, the build will break. It only installs the version of the package specified in the configuration file by adding the constraints option.
+
+## Pypi Version Upgrade Automation
+
+Developers can change the Pypi package version manually, and the Jenkins job will be provided to upgrade the Pypi package version automatically. It will upgrade all the Pypi packages listed in the Pypi version files, except the packages with a flag &quot;upgrade=manual&quot; in the configuration file.
+
+The data flow diagram of version upgrade is as below:
+
+![](images/pypi-version-upgrade-automation.png)
+
+## Work Items
+
+1. Generate the initial version files for pip/pip3.
+2. Add the new pip/pip3 command, verify the version and use the version constraints.
+3. Enable the new commands in Dockerfile files and Makefile files.
+4. Implement the Pypi version upgrade automation Jenkins pipeline.
+
+# Debian Packages
+
+## Debian Version Configuration
+
+The default version source files in files/build/versions/ for Debian packages.
+
+| File Name | Description |
+| --- | --- |
+| versions-deb-jessie | The versions for jessie |
+| versions-deb-stretch | The versions for stretch |
+| versions-deb-buster | The versions for buster |
+
+Similar to Pypi packages, the package version can be overridden per docker image. The different part is that the versions of the debian packages are relative to the debian release, in each release, such as the stretch and buster, the package versions are not the same, so we define a version configuration file for each debian release. For a specified docker image, such as docker-base-buster, etc, we can use dockers/docker-base-buster/versions-deb to override the version configuration file.
+
+## Debian Packages Version Control and Check
+
+Like Pypi Version control and check, if the build version is conflict with the version configuration, the build will be failed. The apt-get will be replaced with a bash script to check the version conflict.
+
+The version control is based on the [APT Preferences](https://manpages.debian.org/buster/apt/apt_preferences.5.en.html). The high priority of the APT preference can force to install a specified version of a package, even downgrade the package (priority >= 1000).
+
+Example setting for sudo:
+
+_Package: tzdata_
+
+_Pin: version 2019c-0+deb10u1_
+
+_Pin-Priority: 990_
+
+When installing the package tzdata, if the docker base has installed 2020a-0+deb10u1, it will skip to install the lower version 1.8.21p2-3ubuntu1 of the package. If the version is not installed, then prefer to install 2019c-0+deb10u1.
+
+The version configuration file not only controls the packages installing directly by &quot;apt-get install&quot; command, but also controls the dependent packages.
+
+When installing the package ntp, the package is depending on the package tzdata, if the tzdata not install the version 2019c-0+deb10u1 will be installed, even there is a new version 2020a-c+deb10u1.
+
+Sample script to verify it:
+
+_# apt-cache madison tzdata_
+
+_tzdata | 2020a-0+deb10u1 | http://deb.debian.org/debian buster/main amd64 Packages_
+
+_tzdata | 2019c-0+deb10u1 | http://deb.debian.org/debian buster-updates/main amd64 Packages_
+
+_# apt-get remove tzdata_
+
+_# apt-get install ntp_
+
+_# dpkg -l tzdata | grep tzdata_
+
+_ii tzdata 2019c-0+deb10u1 all time zone and daylight-saving time data_
+
+If you change the Pin-Priority to 100, then the latest version will be installed.
+
+## Work Items
+
+1. Generate the initial version files for Debian packages.
+
+2. Add the new apt-get command, verify the version and set the version preferences.
+
+3. Enable the new commands in Dockerfile files and Makefile files.
+
+4. Implement the Debian packages version upgrade automation Jenkins pipeline.
+
+   
+
+# Debootstrap
+
+Currently, it will call debootstrap command in each build to create a new debian base host image, the image will automatically use the latest debian packages. It is not a reproduceable build.
+
+debootstrap --variant=minbase --arch amd64 buster rootfs
+
+There are 4 steps in the debootstrap command normally, finding debian packages, downloading the packages, the first stage, and the second stage. The debootstrap supports to only run the first two steps to generate a tarball in tgz format, and supports to use the tarball to generate the file system without downloading the packages again.
+
+debootstrap --variant=minbase --arch amd64 --unpack-tarball=tarball.tgz buster rootfs
+
+The --unpack-tarball will only do the last two steps, without finding/downloading the debian packages in buster, See [debootstrap git commit](https://salsa.debian.org/installer-team/debootstrap/-/commit/25d80b10319ed292827d016bfea6edcdb51b9b52)
+
+The tarball can be generated by the following command:
+
+debootstrap --variant=minbase --arch amd64 --make-tarball=tarball.tgz buster rootfs
+
+We can generate the tarball and replace the all packages with the right versions, or generate the tarball ourselves to support the reproduceable build.
+
+The tarball format is as below:
+
+| File                    | Description                                          |
+| :---------------------- | :--------------------------------------------------- |
+| /debootstrap/base       | The base debian packages                             |
+| /debootstrap/required   | The required debian packages                         |
+| /debootstrap/debpaths   | The debian package name to package real path mapping |
+| /var/cache/apt/archives | Contains the debian packages in the folder           |
+
+The steps to do the reproduceable build for root filesystem.
+
+1. Build the normal root filesystem
+
+   debootstrap --variant=minbase --arch amd64 buster rootfs
+
+2. Freeze the versions, the version configuration format, see [here](#Pypi-Version-Configuration)
+
+3. Download the debian packages based on the frozen versions, and make the debootstrap tarball
+
+4. build the root filesystem using the tarball with frozen debian package versions.
+
+Another approach for debian base image reproduceable build is by [APT-TOOL](https://github.com/pauldotknopf/apt-tool). It supports to freeze the versions, and use the versions in the subsequent builds.
+
+
+# Packages downloaded by wget/curl
+
+The web site may be not stable, and the web packages may be replaced to another one unexpectedly, so we do not want to depend on the web packages at a remote web site. Although there is no version for a package downloaded by wget/curl, the hash value of the package file can be used as the version value. Like Pypi packages and the Debian packages, there is a configuration file for wget/curl. For the package with the same URL, it is expected the same binary will be retrieved when using wget/curl.
+
+Requirements:
+
+1. Use the same web package, even the remote web package changed.
+2. Improve reliability, the build does not be impacted when the remote web site is not available.
+3. Keep update, automatically send a version change Pull Request to use the latest web package. [Low Priority]
+
+## Web Package Version Configuration
+
+The version file in files/build/versions/ for web packages.
+
+| File Name | Description |
+| --- | --- |
+| versions-web | The versions for packages downloaded from web |
+
+Like pip or debian package version configuration, the version format for web package is as below:
+```
+<Package URL> **==** <hash value>;
+```
+The hash value is the package's md5 message digest.
+
+An example as below:
+```
+https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz== ebef065e4d35572af5b03e2be957a9c6c5063b38
+```
+If any new remote web package is used, it should be added in the version configuration file, or the build will be failed, so as to the existing web packages.
+
+## File Storage
+
+Before a web package is used in the SONiC repository, the package should be uploaded to a trusted file storage. The SONiC build only depends on the trusted file storage, not depend on the remote web site.
+
+The file name format in the file storage is as below:
+```
+<package name>-<md5sum>
+```
+For an example: go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38
+
+For the same web package, it supports to have multiple versions of the file in the file storage, for example, go1.14.2.linux-amd64.tar.gz-b73d6366c0bce441d20138c150e2ddcdf406e654 (fake hash value), but for the same commit, the same version is used.
+
+There are multiple solutions for the file storage, such as FTP server, NFS server, Http Server, we do not focus on how to implement the file storage. In this document, we use Azure Storage Blob Container as the file storage. When you wget the web package [https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz](https://storage.googleapis.com/golang/go1.14.2.linux-amd64.tar.gz), it will actually download package from the URL like [https://sonicstorage.blob.core.windows.net/public/go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38](https://sonicstorage.blob.core.windows.net/public/go1.14.2.linux-amd64.tar.gz-ebef065e4d35572af5b03e2be957a9c6c5063b38) during the build, in this case, the storage account URL is [https://sonicstorage.blob.core.windows.net](https://sonicstorage.blob.core.windows.net/), and the container name is public. Some of the packages are already in the same storage account, it is not necessary to add to the version in the configuration file.
+
+## The process to use a new web package
+
+Option A: Manually upload package (only for file storage admin)
+
+1. Manually upload the web package to the file storage.
+2. Change the web package version configuration file to register the package, and use the wget/curl to download the package in your build script.
+
+Option B: Automatically upload package (for all)
+
+![](images/upload-package-automation.png)
+
+1. Change the web package version configuration file to register the package.
+
+Developer sends a Pull Request to register the web package, the web package URL and the package hash value (sha1sum) should be provided. The PR should be only one-line change in files/build/versions/versions-web, see [Web Package Version Configuration](#_Web_Package_Version).
+
+1. Upload the web package to the file storage.
+
+When the Pull Request is complete, and the commit is merged to the master branch, a background task is triggered to download the package, check the hash value, and upload to the file storage.
+
+1. Use the web package in your build script.
+
+Expect the step 2 is complete automatically. When the step 2 is complete, the web package is ready to use.
+
+## Work Items
+
+1. Generate the initial version files for web packages.
+2. Add the new wget/curl command, verify the hash value.
+3. Enable the new commands in Dockerfile files and Makefile files.
+4. Implement the web packages uploading to file storage automation Jenkins pipeline.
+
+# Debian Package Mirror
+
+Debian official mirror only supports a single version of each binary package in any given release by design. For reproduceable build, it is required to manage previous versions of Debian packages. The designed Debian package mirror is to guarantee that all the versions of Debian packages used by sonic-imagebuild exist in the mirror.
+
+The current design of the Debian package mirror is managed by [Aptly](https://www.aptly.info/). The [Azure Storage Static Website](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website) is used to publish the mirror. The [Azure Content Delivery Network (CDN)](https://docs.microsoft.com/en-us/azure/cdn/cdn-overview) integrated with Azure Storage Account is enabled to cache content from Azure Storage. To improve availability and performance, [Azure Traffic Manager](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview) that supports failover across multiple Azure CDN endpoints, is exposed to users.
+
+![](images/azure-debian-mirror.png)
+
+
+
+## Debian Package Mirror managed by Aptly
+
+Steps to publish a Debian package mirror by Aptly:
+
+1. Create a mirror pool and update the pool, example commands as below:
+
+   _aptly mirror create debian-buster-main http://deb.debian.org/debian buster main_
+
+   _aptly mirror update debian-buster-main_
+
+2. Create a repository and import the packages from mirror pool, example commands as below:
+
+   _aptly repo create repo-debian-buster-main_
+
+   _aptly repo import debian-buster-main repo-debian-buster-main_
+
+3. Publish a repository
+
+   _aptly publish repo -distribution=buster repo-debian-buster_
+
+Steps to update a Debian package mirror by Aptly:
+
+1. Update the mirror pool
+
+   _aptly mirror update debian-buster-main_
+
+2. Import the repository
+
+   _aptly repo import debian-buster-main repo-debian-buster-main_
+
+3. Update the publish
+
+   _aptly publish update buster_
+
+To Publish the mirror to Azure Storage, [Azure Blob Fuse](https://github.com/Azure/azure-storage-fuse) supports to mount the Azure Blob Container to the filesystem, it makes easy to publish the Debian package mirror. The Azure Storage Account, storage container name and the Storage Account Assess Key or Storage SAS Token should be provided. The publish settings of aptly are as below:
+
+_&quot;FileSystemPublishEndpoints&quot;: {_
+
+_&quot;web&quot;: {_
+
+_&quot;rootDir&quot;: &quot; __/data/aptly/debian/web__&quot;,_
+
+_&quot;linkMethod&quot;: &quot;copy&quot;,_
+
+_&quot;verifyMethod&quot;:&quot;md5&quot;_
+
+_},_
+
+…
+
+_}_
+
+The rootDir above can be a blob fuse mount point. It will publish to Azure Storage directly.
+
+It is not guaranteed that all the Debian packages are in the mirror, if the size of the mirror glows too fast, we will remove some of the old versions of the packages which are not used by SONiC.
+
+# Pypi Package Mirror
+
+The Pypi official mirror supports multiple versions of each binary package. It is not required to have an additional mirror for the reproduceable build. Not like Debian package mirror, the designed Pypi mirror only publishes the packages used by SONiC image build, the other packages will not be published. Because the size of the full Pypi package mirror is up to 6 trillion bytes now, it is really hard to manage.
+
+The design of the Pypi package mirror is only for monitoring and alerting. When a specified version of the package is used in SONiC, we can expect the package should never be changed. If it was changed (the same package name and version, but different binary), we will be notified.
+
+If a package used by SONiC is removed from the Pypi official mirror accidently, the SONiC build will be failed. One of the solution is to add the extra URLs for pip command, see [here](https://pip.pypa.io/en/stable/reference/pip_install/#install-extra-index-url). But the risk should be very low, we keep to update the version to the latest one by design. It should not be the high priority task to do it.
+
+To publish only the packages used by SONiC, the used packages and versions should be collected by SONiC build. The input file should be like this as below:
+
+_Automat==0.6.0_
+
+_Babel==2.3.4_
+
+_Babel==2.6.0_
+
+_Flask==1.1.2_
+
+_Jinja2==2.10_
+
+_Jinja2==2.11.2_
+
+_Jinja2==2.7.3_
+
+For one package, it may contain several versions to publish. The input file schema is the same as the Pypi version control file.
+
+The [python-pypi-mirror](https://pypi.org/project/python-pypi-mirror/) is used to publish the Pypi mirror to [Azure Storage Static Website](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website), likes Debian package mirror, it supports CDN and traffic manager.
+
+# Docker Base Images
+
+In the original design, the base images of the SONiC Dockerfile are based on image tag, for instance, in the Dockerfile sonic-slave-buster/Dockerfile, the base image is debian:buster, we can find &quot;From debian:buster&quot; in the file. When a new debian buster image is pushed in the docker registry, the debian:buster will refer to the new one, it is not reproduceable. To make it support reproduceable, we can change to refer to the digest hash value of the image. The docker base images that are based on the image tag will be changed to base on the image digest to support reproduceable build. The Dockerfile as below is based on the image tag:
+
+_From \<image\>:\<tag\>_
+
+Example:
+
+_From debian:buster_
+
+Change to:
+
+_From \<image\>:\<digest\>_
+
+Example:
+
+_From debian@sha256:439a6bae1ef351ba9308fc9a5e69ff7754c14516f6be8ca26975fb564cb7fb76_
+
+The docker file will be changed to use the right digest during the build based on a version control file in file/build/versions/versions-docker-base, the content of the file is as below:
+
+debian:buster==_sha256:439a6bae1ef351ba9308fc9a5e69ff7754c14516f6be8ca26975fb564cb7fb76_
+
+debian:stretch==_sha256:335ecf9e8d9b2206c2e9e7f8b09547faa9f868e694f7c5be14c38be15ea8a7cf_
+
+debian:jessie==_sha256:8fc7649643ca1acd3940706613ea7b170762cfce6e7955a6afb387aa40e9f9ea_
+
+# Git Repository
+
+The SONiC build will download source code from remote repository during the build. For instance, when building sflow, it will download source code by command: git clone [https://github.com/sflow/sflowtool](https://github.com/sflow/sflowtool). It will download the latest source code, not reproduceable.
+
+A version control file is introduced to control which commit of the git repository will be download when building SONiC image. The schema of the version control file is same as wget/curl. The content of the control file likes as below:
+
+[https://github.com/sflow/sflowtool==1e42bc69fab8a8bc58b04a0ff9ad2c366eef6121](https://github.com/sflow/sflowtool==1e42bc69fab8a8bc58b04a0ff9ad2c366eef6121)
+
+It will run &quot;git reset <commit id> --hard&quot; after the &quot;git clone&quot; command.
+
+We do not manage the git repositories, if a git commit used by SONiC is removed, then the build will be broken.
+
+# Q&A
+
+1. Is the reproduceable build feature will be enabled in all branches?
+
+   It will be only enabled on the release branches, master branch will not be enabled in the short term.
+
+2. How a developer adds version configuration for new packages in a docker image?
+
+   The developer should build the docker image or any other targets, the referred packages will be collected into target folder automatically during the build, the developer can run a command "make freeze" to freeze the version configuration without manual effort to manage it, then checks in the version changes by "git add files/build/versions" together with the code change.
+
+3. How a developer upgrades the packages to latest versions?
+
+   The developer can upgrade the packages for one target or multiple targets, and can upgrades only one component or multiple components. There are two steps to do it, the first step is to make the targets with version version control option "make SONIC_VERSION_CONTROL_COMPONENTS=none \<targets>",  the second step is to freeze the version by command "make freeze" the same as mentioned above. See more options in "rule/config".
+
+4. How a developer merges code across branches? How to resolve the version conflict?
+
+   The process to merge version files is similar to merge code, we need to resolve the version conflict. To use the higher version or lower version depended on the usage scenarios, we would like to use to latest version better than the old one, but for some release branches, keep older version may be better.
+
+5. How to migrate from one debian distribution to anther one?
+
+   In the version configuration files, different version files are used in different distributions if the version files are relative the distribution. For example, the version file name versions-deb-buster is used for debian packages in buster distribution. But for python packages, we use version-py2 and version-py3 by default, it is not relative to distribution.
+
+   When migrating from stretch to buster, we may need to add additional version configuration for debian packages, but not require to add version files for python packages. See Q&A #2 for adding additional version configuration and #4 for version conflict.
+
+