From jira at ovirt-jira.atlassian.net Thu Feb  8 13:28:38 2018
Content-Type: multipart/mixed; boundary="===============4204193713153620809=="
MIME-Version: 1.0
From: Barak Korren (oVirt JIRA) <jira at ovirt-jira.atlassian.net>
To: infra at ovirt.org
Subject: [JIRA] (OVIRT-1867) Allow embedded secrets inside the source repo for
 CI
Date: Thu, 08 Feb 2018 13:28:37 +0000
Message-ID: <JIRA.33417.1517308592000.7b49b970-b65b-43e1-bb9c-c42cd8b53ac4.1518096517048@Atlassian.JIRA>
In-Reply-To: JIRA.33417.1517308592000@Atlassian.JIRA

--===============4204193713153620809==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

This is a multi-part message in MIME format...

------------=3D_1518096517-16706-206
Content-Type: text/plain; charset=3DUTF-8
Content-Transfer-Encoding: 7bit


    [ https://ovirt-jira.atlassian.net/browse/OVIRT-1867?page=3Dcom.atlassi=
an.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D35=
768#comment-35768 ] =


Barak Korren commented on OVIRT-1867:
-------------------------------------

Here is an implementation scheme that can meet [~rmohr(a)redhat.com]'s UX r=
equirements while still allowing STDCI projects to be portable between CI s=
ystems.

First, we adopt or setup an online credentials storage service that has the=
 following features:
# It has a UI where users can login and upload or download credentials
# It has functionality where it can generate key pairs while storing the pr=
ivate key and making the public key visible.
# It supports a oAuth-like flow where a system can request access to certai=
n credentials and the user can confirm or deny it.

Second, we write a secrets provider that allows the user to refer to a set =
of credentials in the service above (As well as the service itself). When t=
rying to provide the secrets, the system would request access via the crede=
ntials storage service.

Third, we write an STDCI service that encapsulates the special-case flow wh=
ere we get a private key from the secrets provider and use it tio decrypt f=
iles from the Git repo.

> Allow embedded secrets inside the source repo for CI
> ----------------------------------------------------
>
>                 Key: OVIRT-1867
>                 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1867
>             Project: oVirt - virtualization made easy
>          Issue Type: New Feature
>          Components: Standard CI (Pipelines), STDCI DSL
>            Reporter: Roman Mohr
>            Assignee: infra
>              Labels: credentials
>
> In order to improve the self-service capabilities of standard-ci it is
> important for projects, that they can add their own secrets to projects (=
to
> reach external services, e.g. docker hub, ...).
> Travis has a very nice system which helps engineers there:
> https://docs.travis-ci.com/user/encryption-keys/
> Basically the CI system needs to generate a public/private key pair for
> every enabled git repo. The engineer simply fetches the public key via a
> well know URL and encrypts the secrets. Then the encrypted secret can be
> made part of the source repo. Before the tests are run the CI system
> decrypts the secrets. Than can play together pretty well with Jenkinsfiles
> too.
> Benefit:
>  * Less manual intervention from CI team to add secrets to jobs
>  * Strengthen the config-in-code thinking



--
This message was sent by Atlassian Jira
(v1001.0.0-SNAPSHOT#100079)

------------=3D_1518096517-16706-206
Content-Type: text/html; charset=3D"UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

<html><body>
<pre>[ https://ovirt-jira.atlassian.net/browse/OVIRT-1867?page=3Dcom.atlass=
ian.jira.plugin.system.issuetabpanels:comment-tabpanel&amp;focusedCommentId=
=3D35768#comment-35768 ]</pre>
<h3>Barak Korren commented on OVIRT-1867:</h3>
<p>Here is an implementation scheme that can meet [~rmohr(a)redhat.com]'s U=
X requirements while still allowing STDCI projects to be portable between C=
I systems.</p>
<p>First, we adopt or setup an online credentials storage service that has =
the following features: # It has a UI where users can login and upload or d=
ownload credentials # It has functionality where it can generate key pairs =
while storing the private key and making the public key visible. # It suppo=
rts a oAuth-like flow where a system can request access to certain credenti=
als and the user can confirm or deny it.</p>
<p>Second, we write a secrets provider that allows the user to refer to a s=
et of credentials in the service above (As well as the service itself). Whe=
n trying to provide the secrets, the system would request access via the cr=
edentials storage service.</p>
<p>Third, we write an STDCI service that encapsulates the special-case flow=
 where we get a private key from the secrets provider and use it tio decryp=
t files from the Git repo.</p>
<blockquote><h3>Allow embedded secrets inside the source repo for CI</h3>
<pre>     Key: OVIRT-1867
     URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1867
 Project: oVirt - virtualization made easy
         Issue Type: New Feature
         Components: Standard CI (Pipelines), STDCI DSL
Reporter: Roman Mohr
Assignee: infra
  Labels: credentials</pre>
<p>In order to improve the self-service capabilities of standard-ci it is i=
mportant for projects, that they can add their own secrets to projects (to =
reach external services, e.g. docker hub, &hellip;). Travis has a very nice=
 system which helps engineers there: <a href=3D"https://docs.travis-ci.com/=
user/encryption-keys/">https://docs.travis-ci.com/user/encryption-keys/</a>=
 Basically the CI system needs to generate a public/private key pair for ev=
ery enabled git repo. The engineer simply fetches the public key via a well=
 know URL and encrypts the secrets. Then the encrypted secret can be made p=
art of the source repo. Before the tests are run the CI system decrypts the=
 secrets. Than can play together pretty well with Jenkinsfiles too. Benefit=
:</p>
<pre>* Less manual intervention from CI team to add secrets to jobs
* Strengthen the config-in-code thinking</pre></blockquote>
<p>&mdash; This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#1000=
79)</p>

<img src=3D"https://u4043402.ct.sendgrid.net/wf/open?upn=3Di5TMWGV99amJbNxJ=
pSp2-2BJ33BSM3tuiUfRTk64K-2BOjGpF-2BuMzoJRRB1ifzZIErtIxTccLy521zz7OxZViB5mn=
pbbwYJFz6flgevXOzUJVH-2FqBqvcqqqKIp3p4OcyDFOsRwvaLk1r7X8JpLEbbYtQ-2F8se-2FA=
oG3NqMy6MEF960fM4WCfArIPipDAxV3I9QtDxwIZkeNWD9yApPsdJra3V4NT7hIOoTif46hN9A2=
Na-2BIseHngSSOzrSPo87Xs5dlTOpVf3WET8wsw5olw4eOwPck7Bw-2FNKYDOxy9GcB2L4vKLwB=
G2f9i31ANNYjZmpEgbusYdFrGH7wpouumTJ8Wz1vWdk2glcUL9jwnyM9QbmB-2Fow82Krb-2BFp=
ANEGbWKZfJbiBNK55DeUIR35chw0OzjYwDl-2BT4RExwSs3vq06lD4QFseow-2Fvnodv2P8fy6G=
wFuRAd" alt=3D"" width=3D"1" height=3D"1" border=3D"0" style=3D"height:1px =
!important;width:1px !important;border-width:0 !important;margin-top:0 !imp=
ortant;margin-bottom:0 !important;margin-right:0 !important;margin-left:0 !=
important;padding-top:0 !important;padding-bottom:0 !important;padding-righ=
t:0 !important;padding-left:0 !important;"/>
</body></html>

------------=3D_1518096517-16706-206--

--===============4204193713153620809==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"

VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4uLgoKLS0tLS0tLS0t
LS0tPV8xNTE4MDk2NTE3LTE2NzA2LTIwNgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJz
ZXQ9VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKCiAgICBbIGh0dHBzOi8v
b3ZpcnQtamlyYS5hdGxhc3NpYW4ubmV0L2Jyb3dzZS9PVklSVC0xODY3P3BhZ2U9Y29tLmF0bGFz
c2lhbi5qaXJhLnBsdWdpbi5zeXN0ZW0uaXNzdWV0YWJwYW5lbHM6Y29tbWVudC10YWJwYW5lbCZm
b2N1c2VkQ29tbWVudElkPTM1NzY4I2NvbW1lbnQtMzU3NjggXSAKCkJhcmFrIEtvcnJlbiBjb21t
ZW50ZWQgb24gT1ZJUlQtMTg2NzoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LQoKSGVyZSBpcyBhbiBpbXBsZW1lbnRhdGlvbiBzY2hlbWUgdGhhdCBjYW4gbWVldCBbfnJtb2hy
QHJlZGhhdC5jb21dJ3MgVVggcmVxdWlyZW1lbnRzIHdoaWxlIHN0aWxsIGFsbG93aW5nIFNURENJ
IHByb2plY3RzIHRvIGJlIHBvcnRhYmxlIGJldHdlZW4gQ0kgc3lzdGVtcy4KCkZpcnN0LCB3ZSBh
ZG9wdCBvciBzZXR1cCBhbiBvbmxpbmUgY3JlZGVudGlhbHMgc3RvcmFnZSBzZXJ2aWNlIHRoYXQg
aGFzIHRoZSBmb2xsb3dpbmcgZmVhdHVyZXM6CiMgSXQgaGFzIGEgVUkgd2hlcmUgdXNlcnMgY2Fu
IGxvZ2luIGFuZCB1cGxvYWQgb3IgZG93bmxvYWQgY3JlZGVudGlhbHMKIyBJdCBoYXMgZnVuY3Rp
b25hbGl0eSB3aGVyZSBpdCBjYW4gZ2VuZXJhdGUga2V5IHBhaXJzIHdoaWxlIHN0b3JpbmcgdGhl
IHByaXZhdGUga2V5IGFuZCBtYWtpbmcgdGhlIHB1YmxpYyBrZXkgdmlzaWJsZS4KIyBJdCBzdXBw
b3J0cyBhIG9BdXRoLWxpa2UgZmxvdyB3aGVyZSBhIHN5c3RlbSBjYW4gcmVxdWVzdCBhY2Nlc3Mg
dG8gY2VydGFpbiBjcmVkZW50aWFscyBhbmQgdGhlIHVzZXIgY2FuIGNvbmZpcm0gb3IgZGVueSBp
dC4KClNlY29uZCwgd2Ugd3JpdGUgYSBzZWNyZXRzIHByb3ZpZGVyIHRoYXQgYWxsb3dzIHRoZSB1
c2VyIHRvIHJlZmVyIHRvIGEgc2V0IG9mIGNyZWRlbnRpYWxzIGluIHRoZSBzZXJ2aWNlIGFib3Zl
IChBcyB3ZWxsIGFzIHRoZSBzZXJ2aWNlIGl0c2VsZikuIFdoZW4gdHJ5aW5nIHRvIHByb3ZpZGUg
dGhlIHNlY3JldHMsIHRoZSBzeXN0ZW0gd291bGQgcmVxdWVzdCBhY2Nlc3MgdmlhIHRoZSBjcmVk
ZW50aWFscyBzdG9yYWdlIHNlcnZpY2UuCgpUaGlyZCwgd2Ugd3JpdGUgYW4gU1REQ0kgc2Vydmlj
ZSB0aGF0IGVuY2Fwc3VsYXRlcyB0aGUgc3BlY2lhbC1jYXNlIGZsb3cgd2hlcmUgd2UgZ2V0IGEg
cHJpdmF0ZSBrZXkgZnJvbSB0aGUgc2VjcmV0cyBwcm92aWRlciBhbmQgdXNlIGl0IHRpbyBkZWNy
eXB0IGZpbGVzIGZyb20gdGhlIEdpdCByZXBvLgoKPiBBbGxvdyBlbWJlZGRlZCBzZWNyZXRzIGlu
c2lkZSB0aGUgc291cmNlIHJlcG8gZm9yIENJCj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo+Cj4gICAgICAgICAgICAgICAgIEtleTogT1ZJUlQt
MTg2Nwo+ICAgICAgICAgICAgICAgICBVUkw6IGh0dHBzOi8vb3ZpcnQtamlyYS5hdGxhc3NpYW4u
bmV0L2Jyb3dzZS9PVklSVC0xODY3Cj4gICAgICAgICAgICAgUHJvamVjdDogb1ZpcnQgLSB2aXJ0
dWFsaXphdGlvbiBtYWRlIGVhc3kKPiAgICAgICAgICBJc3N1ZSBUeXBlOiBOZXcgRmVhdHVyZQo+
ICAgICAgICAgIENvbXBvbmVudHM6IFN0YW5kYXJkIENJIChQaXBlbGluZXMpLCBTVERDSSBEU0wK
PiAgICAgICAgICAgIFJlcG9ydGVyOiBSb21hbiBNb2hyCj4gICAgICAgICAgICBBc3NpZ25lZTog
aW5mcmEKPiAgICAgICAgICAgICAgTGFiZWxzOiBjcmVkZW50aWFscwo+Cj4gSW4gb3JkZXIgdG8g
aW1wcm92ZSB0aGUgc2VsZi1zZXJ2aWNlIGNhcGFiaWxpdGllcyBvZiBzdGFuZGFyZC1jaSBpdCBp
cwo+IGltcG9ydGFudCBmb3IgcHJvamVjdHMsIHRoYXQgdGhleSBjYW4gYWRkIHRoZWlyIG93biBz
ZWNyZXRzIHRvIHByb2plY3RzICh0bwo+IHJlYWNoIGV4dGVybmFsIHNlcnZpY2VzLCBlLmcuIGRv
Y2tlciBodWIsIC4uLikuCj4gVHJhdmlzIGhhcyBhIHZlcnkgbmljZSBzeXN0ZW0gd2hpY2ggaGVs
cHMgZW5naW5lZXJzIHRoZXJlOgo+IGh0dHBzOi8vZG9jcy50cmF2aXMtY2kuY29tL3VzZXIvZW5j
cnlwdGlvbi1rZXlzLwo+IEJhc2ljYWxseSB0aGUgQ0kgc3lzdGVtIG5lZWRzIHRvIGdlbmVyYXRl
IGEgcHVibGljL3ByaXZhdGUga2V5IHBhaXIgZm9yCj4gZXZlcnkgZW5hYmxlZCBnaXQgcmVwby4g
VGhlIGVuZ2luZWVyIHNpbXBseSBmZXRjaGVzIHRoZSBwdWJsaWMga2V5IHZpYSBhCj4gd2VsbCBr
bm93IFVSTCBhbmQgZW5jcnlwdHMgdGhlIHNlY3JldHMuIFRoZW4gdGhlIGVuY3J5cHRlZCBzZWNy
ZXQgY2FuIGJlCj4gbWFkZSBwYXJ0IG9mIHRoZSBzb3VyY2UgcmVwby4gQmVmb3JlIHRoZSB0ZXN0
cyBhcmUgcnVuIHRoZSBDSSBzeXN0ZW0KPiBkZWNyeXB0cyB0aGUgc2VjcmV0cy4gVGhhbiBjYW4g
cGxheSB0b2dldGhlciBwcmV0dHkgd2VsbCB3aXRoIEplbmtpbnNmaWxlcwo+IHRvby4KPiBCZW5l
Zml0Ogo+ICAqIExlc3MgbWFudWFsIGludGVydmVudGlvbiBmcm9tIENJIHRlYW0gdG8gYWRkIHNl
Y3JldHMgdG8gam9icwo+ICAqIFN0cmVuZ3RoZW4gdGhlIGNvbmZpZy1pbi1jb2RlIHRoaW5raW5n
CgoKCi0tClRoaXMgbWVzc2FnZSB3YXMgc2VudCBieSBBdGxhc3NpYW4gSmlyYQoodjEwMDEuMC4w
LVNOQVBTSE9UIzEwMDA3OSkKCi0tLS0tLS0tLS0tLT1fMTUxODA5NjUxNy0xNjcwNi0yMDYKQ29u
dGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9IlVURi04IgpDb250ZW50LURpc3Bvc2l0aW9u
OiBpbmxpbmUKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKPGh0bWw+PGJvZHk+Cjxw
cmU+WyBodHRwczovL292aXJ0LWppcmEuYXRsYXNzaWFuLm5ldC9icm93c2UvT1ZJUlQtMTg2Nz9w
YWdlPWNvbS5hdGxhc3NpYW4uamlyYS5wbHVnaW4uc3lzdGVtLmlzc3VldGFicGFuZWxzOmNvbW1l
bnQtdGFicGFuZWwmYW1wO2ZvY3VzZWRDb21tZW50SWQ9MzU3NjgjY29tbWVudC0zNTc2OCBdPC9w
cmU+CjxoMz5CYXJhayBLb3JyZW4gY29tbWVudGVkIG9uIE9WSVJULTE4Njc6PC9oMz4KPHA+SGVy
ZSBpcyBhbiBpbXBsZW1lbnRhdGlvbiBzY2hlbWUgdGhhdCBjYW4gbWVldCBbfnJtb2hyQHJlZGhh
dC5jb21dJ3MgVVggcmVxdWlyZW1lbnRzIHdoaWxlIHN0aWxsIGFsbG93aW5nIFNURENJIHByb2pl
Y3RzIHRvIGJlIHBvcnRhYmxlIGJldHdlZW4gQ0kgc3lzdGVtcy48L3A+CjxwPkZpcnN0LCB3ZSBh
ZG9wdCBvciBzZXR1cCBhbiBvbmxpbmUgY3JlZGVudGlhbHMgc3RvcmFnZSBzZXJ2aWNlIHRoYXQg
aGFzIHRoZSBmb2xsb3dpbmcgZmVhdHVyZXM6ICMgSXQgaGFzIGEgVUkgd2hlcmUgdXNlcnMgY2Fu
IGxvZ2luIGFuZCB1cGxvYWQgb3IgZG93bmxvYWQgY3JlZGVudGlhbHMgIyBJdCBoYXMgZnVuY3Rp
b25hbGl0eSB3aGVyZSBpdCBjYW4gZ2VuZXJhdGUga2V5IHBhaXJzIHdoaWxlIHN0b3JpbmcgdGhl
IHByaXZhdGUga2V5IGFuZCBtYWtpbmcgdGhlIHB1YmxpYyBrZXkgdmlzaWJsZS4gIyBJdCBzdXBw
b3J0cyBhIG9BdXRoLWxpa2UgZmxvdyB3aGVyZSBhIHN5c3RlbSBjYW4gcmVxdWVzdCBhY2Nlc3Mg
dG8gY2VydGFpbiBjcmVkZW50aWFscyBhbmQgdGhlIHVzZXIgY2FuIGNvbmZpcm0gb3IgZGVueSBp
dC48L3A+CjxwPlNlY29uZCwgd2Ugd3JpdGUgYSBzZWNyZXRzIHByb3ZpZGVyIHRoYXQgYWxsb3dz
IHRoZSB1c2VyIHRvIHJlZmVyIHRvIGEgc2V0IG9mIGNyZWRlbnRpYWxzIGluIHRoZSBzZXJ2aWNl
IGFib3ZlIChBcyB3ZWxsIGFzIHRoZSBzZXJ2aWNlIGl0c2VsZikuIFdoZW4gdHJ5aW5nIHRvIHBy
b3ZpZGUgdGhlIHNlY3JldHMsIHRoZSBzeXN0ZW0gd291bGQgcmVxdWVzdCBhY2Nlc3MgdmlhIHRo
ZSBjcmVkZW50aWFscyBzdG9yYWdlIHNlcnZpY2UuPC9wPgo8cD5UaGlyZCwgd2Ugd3JpdGUgYW4g
U1REQ0kgc2VydmljZSB0aGF0IGVuY2Fwc3VsYXRlcyB0aGUgc3BlY2lhbC1jYXNlIGZsb3cgd2hl
cmUgd2UgZ2V0IGEgcHJpdmF0ZSBrZXkgZnJvbSB0aGUgc2VjcmV0cyBwcm92aWRlciBhbmQgdXNl
IGl0IHRpbyBkZWNyeXB0IGZpbGVzIGZyb20gdGhlIEdpdCByZXBvLjwvcD4KPGJsb2NrcXVvdGU+
PGgzPkFsbG93IGVtYmVkZGVkIHNlY3JldHMgaW5zaWRlIHRoZSBzb3VyY2UgcmVwbyBmb3IgQ0k8
L2gzPgo8cHJlPiAgICAgS2V5OiBPVklSVC0xODY3CiAgICAgVVJMOiBodHRwczovL292aXJ0LWpp
cmEuYXRsYXNzaWFuLm5ldC9icm93c2UvT1ZJUlQtMTg2NwogUHJvamVjdDogb1ZpcnQgLSB2aXJ0
dWFsaXphdGlvbiBtYWRlIGVhc3kKICAgICAgICAgSXNzdWUgVHlwZTogTmV3IEZlYXR1cmUKICAg
ICAgICAgQ29tcG9uZW50czogU3RhbmRhcmQgQ0kgKFBpcGVsaW5lcyksIFNURENJIERTTApSZXBv
cnRlcjogUm9tYW4gTW9ocgpBc3NpZ25lZTogaW5mcmEKICBMYWJlbHM6IGNyZWRlbnRpYWxzPC9w
cmU+CjxwPkluIG9yZGVyIHRvIGltcHJvdmUgdGhlIHNlbGYtc2VydmljZSBjYXBhYmlsaXRpZXMg
b2Ygc3RhbmRhcmQtY2kgaXQgaXMgaW1wb3J0YW50IGZvciBwcm9qZWN0cywgdGhhdCB0aGV5IGNh
biBhZGQgdGhlaXIgb3duIHNlY3JldHMgdG8gcHJvamVjdHMgKHRvIHJlYWNoIGV4dGVybmFsIHNl
cnZpY2VzLCBlLmcuIGRvY2tlciBodWIsICZoZWxsaXA7KS4gVHJhdmlzIGhhcyBhIHZlcnkgbmlj
ZSBzeXN0ZW0gd2hpY2ggaGVscHMgZW5naW5lZXJzIHRoZXJlOiA8YSBocmVmPSJodHRwczovL2Rv
Y3MudHJhdmlzLWNpLmNvbS91c2VyL2VuY3J5cHRpb24ta2V5cy8iPmh0dHBzOi8vZG9jcy50cmF2
aXMtY2kuY29tL3VzZXIvZW5jcnlwdGlvbi1rZXlzLzwvYT4gQmFzaWNhbGx5IHRoZSBDSSBzeXN0
ZW0gbmVlZHMgdG8gZ2VuZXJhdGUgYSBwdWJsaWMvcHJpdmF0ZSBrZXkgcGFpciBmb3IgZXZlcnkg
ZW5hYmxlZCBnaXQgcmVwby4gVGhlIGVuZ2luZWVyIHNpbXBseSBmZXRjaGVzIHRoZSBwdWJsaWMg
a2V5IHZpYSBhIHdlbGwga25vdyBVUkwgYW5kIGVuY3J5cHRzIHRoZSBzZWNyZXRzLiBUaGVuIHRo
ZSBlbmNyeXB0ZWQgc2VjcmV0IGNhbiBiZSBtYWRlIHBhcnQgb2YgdGhlIHNvdXJjZSByZXBvLiBC
ZWZvcmUgdGhlIHRlc3RzIGFyZSBydW4gdGhlIENJIHN5c3RlbSBkZWNyeXB0cyB0aGUgc2VjcmV0
cy4gVGhhbiBjYW4gcGxheSB0b2dldGhlciBwcmV0dHkgd2VsbCB3aXRoIEplbmtpbnNmaWxlcyB0
b28uIEJlbmVmaXQ6PC9wPgo8cHJlPiogTGVzcyBtYW51YWwgaW50ZXJ2ZW50aW9uIGZyb20gQ0kg
dGVhbSB0byBhZGQgc2VjcmV0cyB0byBqb2JzCiogU3RyZW5ndGhlbiB0aGUgY29uZmlnLWluLWNv
ZGUgdGhpbmtpbmc8L3ByZT48L2Jsb2NrcXVvdGU+CjxwPiZtZGFzaDsgVGhpcyBtZXNzYWdlIHdh
cyBzZW50IGJ5IEF0bGFzc2lhbiBKaXJhICh2MTAwMS4wLjAtU05BUFNIT1QjMTAwMDc5KTwvcD4K
CjxpbWcgc3JjPSJodHRwczovL3U0MDQzNDAyLmN0LnNlbmRncmlkLm5ldC93Zi9vcGVuP3Vwbj1p
NVRNV0dWOTlhbUpiTnhKcFNwMi0yQkozM0JTTTN0dWlVZlJUazY0Sy0yQk9qR3BGLTJCdU16b0pS
UkIxaWZ6WklFcnRJeFRjY0x5NTIxeno3T3haVmlCNW1ucGJid1lKRno2ZmxnZXZYT3pVSlZILTJG
cUJxdmNxcXFLSXAzcDRPY3lERk9zUnd2YUxrMXI3WDhKcExFYmJZdFEtMkY4c2UtMkZBb0czTnFN
eTZNRUY5NjBmTTRXQ2ZBcklQaXBEQXhWM0k5UXREeHdJWmtlTldEOXlBcFBzZEpyYTNWNE5UN2hJ
T29UaWY0NmhOOUEyTmEtMkJJc2VIbmdTU096clNQbzg3WHM1ZGxUT3BWZjNXRVQ4d3N3NW9sdzRl
T3dQY2s3QnctMkZOS1lET3h5OUdjQjJMNHZLTHdCRzJmOWkzMUFOTllqWm1wRWdidXNZZEZyR0g3
d3BvdXVtVEo4V3oxdldkazJnbGNVTDlqd255TTlRYm1CLTJGb3c4MktyYi0yQkZwQU5FR2JXS1pm
SmJpQk5LNTVEZVVJUjM1Y2h3ME96all3RGwtMkJUNFJFeHdTczN2cTA2bEQ0UUZzZW93LTJGdm5v
ZHYyUDhmeTZHd0Z1UkFkIiBhbHQ9IiIgd2lkdGg9IjEiIGhlaWdodD0iMSIgYm9yZGVyPSIwIiBz
dHlsZT0iaGVpZ2h0OjFweCAhaW1wb3J0YW50O3dpZHRoOjFweCAhaW1wb3J0YW50O2JvcmRlci13
aWR0aDowICFpbXBvcnRhbnQ7bWFyZ2luLXRvcDowICFpbXBvcnRhbnQ7bWFyZ2luLWJvdHRvbTow
ICFpbXBvcnRhbnQ7bWFyZ2luLXJpZ2h0OjAgIWltcG9ydGFudDttYXJnaW4tbGVmdDowICFpbXBv
cnRhbnQ7cGFkZGluZy10b3A6MCAhaW1wb3J0YW50O3BhZGRpbmctYm90dG9tOjAgIWltcG9ydGFu
dDtwYWRkaW5nLXJpZ2h0OjAgIWltcG9ydGFudDtwYWRkaW5nLWxlZnQ6MCAhaW1wb3J0YW50OyIv
Pgo8L2JvZHk+PC9odG1sPgoKLS0tLS0tLS0tLS0tPV8xNTE4MDk2NTE3LTE2NzA2LTIwNi0tCg==

--===============4204193713153620809==--