pool/bubblewrap
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- fix shebang in demos/flatpak-run.sh

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/bubblewrap?expand=0&rev=43
This commit is contained in:
Sebastian Wagner 2024-11-17 13:53:32 +00:00 committed by Git OBS Bridge
commit 1d7e0431da
9 changed files with 809 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

BIN
bubblewrap-0.10.0.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
bubblewrap-0.11.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:988fd6b232dafa04b8b8198723efeaccdb3c6aa9c1c7936219d5791a8b7a8646
size 115228

16
bubblewrap-0.11.0.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmciWjEACgkQI1wJnT6z
MHZhDg//YtlNR8PsIWqrY2nOj1H9IQJeTptbzB+BtyoiIl/fv0/0DWZVgZF9E0jr
VW1ju2B0oTxGSc+S71cg31r1Jj9hdj7HRVuHKfnmjHIHHuOhHfT1YDZT+KoYWl4c
iwN6x46psYABEaek79a5Ukmj+bX2pvtkqFps/zj504tBtuYHnSd4nyGFdqFr7XSx
Ioa8hVxhFjHOuMsteHrFl1a8BQbjGHwBxNVrBzs/0EEciJbwhzknhJMPXqK8LnoK
iL/BfXT7os1+aNB90MtJ3ryTt6kUXNtSoZt95qA/I4VV+/c7JK4pvqYXuRk/2OL4
nDQRFUQMquvgFutZ0hmdVAeLKhhc4y3abr3PKBrt01ymRyJwb+ahkwrMR1lqkNPz
jZhryJoQ+KkoWqG/+UcXfILJ2KiSheFwbp/vnc2JGZyirDVCE+mr5CC/Vqgh7WeF
hA9Wx2YhBoQmVwgtf5JLghYrf6eoXu13h0AD9aQrWkejgQheg4+BVnXj8VXDISkw
MtZwfGGwOR9X6O4cKq/D8/LrDPqQ+UQNMAV+xB8zSDNQGfP83MLmHxVfqzAE72Hs
aLwqrCcXvw1iISTPi5szoAnb1xDVuUtNQIRwZAXUuoXwxJQWmmKBpphXR/VRVkW1
KEQ3Ke8FMmAAYQc7tWagwTIVv7U8DOlNutmFMOu2nb9Ccme6ask=
=H36P
-----END PGP SIGNATURE-----

3
bubblewrap-0.9.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1
size 118984

463
bubblewrap.changes Normal file
View File

@ -0,0 +1,463 @@
-------------------------------------------------------------------
Sun Nov 17 13:53:07 UTC 2024 - Sebastian Wagner <sebix@sebix.at>
- fix shebang in demos/flatpak-run.sh
-------------------------------------------------------------------
Fri Nov 1 18:56:54 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
- update to 0.11.0:
* New --overlay, --tmp-overlay, --ro-overlay and --overlay-src
options allow creation of overlay mounts. This feature is not
available when bubblewrap is installed setuid.
* New --level-prefix option produces output that can be parsed
by tools like logger --prio-prefix and
systemd-cat --level-prefix=1
* bug fixes and developer visible changes
- add upstream signing key and validate source signature
-------------------------------------------------------------------
Wed Aug 14 17:02:31 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version v0.10.0:
* New features: Add the --[ro-]bind-fd option, which can be used
to mount a filesystem represented by a file descriptor without
time-of-check/time-of-use attacks. This is needed when
resolving security issue in Flatpak.
(CVE-2024-42472, bsc#1229157)
* Other changes: Fix some confusing syntax in SetupOpFlag (no
functional change).
-------------------------------------------------------------------
Tue Apr 2 12:14:33 UTC 2024 - Wolfgang Frisch <wolfgang.frisch@suse.com>
- update to v0.9.0:
* Build system changed to Meson from Autotools
* Add --argv0
https://github.com/containers/bubblewrap/issues/91
* --symlink is now idempotent, meaning it succeeds if the symlink already
exists and already has the desired target
* Clarify security considerations in documentation
* Clarify documentation for --cap-add
* Report a better error message if mount(2) fails with ENOSPC
* Fix a double-close on error reading from --args, --seccomp or
--add-seccomp-fd argument
* Improve memory allocation behaviour
-------------------------------------------------------------------
Mon Mar 27 16:39:05 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
- update to v0.8.0:
* Add --disable-userns option to prevent the sandbox from
creating its own nested user namespace
* Add --assert-userns-disabled option to check that an existing
userns was created with --disable-userns
* Give a clearer error message if the kernel doesn't have
CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER
-------------------------------------------------------------------
Wed Dec 7 21:50:27 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to v0.7.0:
* --size option controls the size of a subsequent --tmpfs (#509)
* Better error messages if a mount operation fails (#472)
* Better error message if creating the new user namespace fails with
ENOSPC (#487)
* When building as a Meson subproject, a RUNPATH can be set on the
executable to make it easier to bundle its libcap dependency
* Fix test failures when running as uid 0 but with limited capabilities
(#510)
* Use POSIX command -v in preference to non-standard which (#527)
* Fix a copy/paste error in --help (#531)
-------------------------------------------------------------------
Wed May 18 12:43:26 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- Update to version 0.6.2:
+ New features in Meson build:
- Auto-detect whether the man page can be generated.
- -Dbwrapdir=... changes the installation directory (useful
when being used as a subproject).
- -Dtests=false disables unit tests.
+ Bug fixes:
- Add --add-seccomp-fd to shell completions
- Document --add-seccomp-fd, --json-status-fd and --share-net
in the man page
- Add attributes to silence various compiler warnings
- Allow compilation of tests with musl on mips architectures
- Allow compilation with older glibc
- Disable sanitizers for a test helper whose seccomp profile
breaks the instrumentation
- Disable AddressSanitizer leak detection where it interferes
with unit testing
-------------------------------------------------------------------
Fri Mar 4 18:13:15 UTC 2022 - Sebastian Wagner <sebix+novell.com@sebix.at>
- Update to 0.6.1:
- Add a release checklist
- completions: Make zsh completion non-executable
The Autotools build system installed it with 0644 permissions because
it's listed as DATA, but the Meson build system installs executable
files as executable by default.
zsh completions don't need to be executable to work, and this one doesn't
have the `#!` marker that should start an executable script.
- update to 0.6.0:
- meson: Improve compatibility with Meson 0.49
That version doesn't allow more than two arguments for define_variable.
- Disable test-specifying-pidns.sh under 'meson dist' while I investigate
This test is hanging when run under 'meson dist' for some reason, but
not when run under 'meson test', and not locally, only in the Github
Workflow-based CI. Disable it for now.
- meson: Actually build and run the tests
- tests: Fix compiler warnings for unused arguments
- meson: Run test scripts from $srcdir
- meson: Make G_TEST_SRCDIR, G_TEST_BUILDDIR match Autotools
- meson: Run the Python test script with Python, not bash
The python build option can be used to swap to a different interpreter,
for environments like the Steam Runtime where the python3 executable in
the PATH is extremely old but there is a better interpreter available.
This is treated as non-optional, because Meson is written in Python,
so the situation where there is no Python interpreter at build-time
shouldn't arise.
- meson: Build the try-syscall helper
- meson: Build tests with equivalent of -I$(top_srcdir) -I$(top_builddir)
- meson.build: Remove unnecessary check for sh
- Add a Meson build system
This allows bwrap to be built as a subproject in larger Meson projects.
When built as a subproject, we install into the --libexecdir and
require a program prefix to be specified: for example, Flatpak would use
program_prefix=flatpak- to get /usr/libexec/flatpak-bwrap. Verified to
be backwards-compatible as far as Meson 0.49.0 (Debian 9 backports).
Loosely based on previous work by Jussi Pakkanen (see #133).
Differences between the Autotools and Meson builds:
The Meson build requires a version of libcap that has pkg-config
metadata (introduced in libcap 2.23, in 2013).
The Meson build has no equivalent of --with-priv-mode=setuid. On
distributions like Debian <= 10 and RHEL <= 7 that require a setuid bwrap
executable, the sysadmin or distribution packaging will need to set the
correct permissions on the bwrap executable; Debian already did this via
packaging rather than the upstream build system.
The Meson build supports being used as a subproject, and there is CI
for this. It automatically disables shell completions and man pages,
moves the bubblewrap executable to ${libexecdir}, and renames the
bubblewrap executable according to a program_prefix option that the
caller must specify (for example, Flatpak would use
-Dprogram_prefix=flatpak- to get /usr/libexec/flatpak-bwrap). See the
tests/use-as-subproject/ directory for an example.
- Use HEAD to refer to other projects' default branches in documentation
This makes the URL independent of the name they have chosen for their
default branches.
- workflows: Update for rename of default branch to main
- tests: Exercise seccomp filters
- Allow loading more than one seccomp program
This will allow Flatpak to combine an allow-list (default-deny) of
known system calls with a deny-list (default-allow) of system calls
that are undesired.
Resolves: https://github.com/containers/bubblewrap/issues/453
- Generalize linked lists of LockFile and SetupOp
I'm about to add a third linked list, for seccomp programs, which would
seem like too much duplication.
- Handle argc == 0 better
Unfortunately it's possible for argc to be 0, so error out pretty early
on in that case. I don't think this is a security issue in this case.
- Fix typo
- Remove trailing whitespace
- Fix spelling
- bash: Fix shellcheck warnings
- bash: Invoke bash using /usr/bin/env
- bubblewrap: Avoid a -Wjump-misses-init false-positive
When building with -Wjump-misses-init as part of a larger project, gcc
reports that we jump past initialization of cover_proc_dirs. This is
technically true, but we only use this variable in the case where it's
initialized, so that's harmless.
However, we can avoid this altogether by making the array static and
constant, which allows it to be moved from initialized data to read-only
data.
- bind-mount: Be more const-correct
When compiled with -Wwrite-strings as part of a larger project, gcc and
clang both warn that we're assigning a string constant to a mutable
struct member. There's actually no reason why it should be mutable, so
make it const.
- die_with_error: Save errno sooner
We need to save errno immediately, otherwise it could be overwritten
by a failing library call somewhere in the implementation of fprintf.
- main: Warn when non-repeatable options are repeated
A user might reasonably expect that `bwrap --seccomp 3 --seccomp 4 ...`
would load seccomp programs from both fds 3 and 4, but in fact it only
loads the program from fd 4.
Helps: https://github.com/containers/bubblewrap/issues/453
Resolves: https://github.com/containers/bubblewrap/issues/454
- utils: Add warn()
- Add SPDX-License-Identifier for files that already specify license
This is a step towards REUSE compliance. Third-party files that we do
not otherwise edit (git.mk, m4/attributes.m4) are excluded here.
- tests: Use preferred spelling for SPDX license identifiers
- Remove obsolete .travis.yml
We no longer use Travis-CI.
- Remove obsolete papr CI
We no longer use this.
-------------------------------------------------------------------
Mon Sep 20 18:52:20 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 0.5.0:
+ New features:
- --chmod changes permissions
- --clearenv unsets every environment variable (except PWD)
- --perms sets permissions for one subsequent --bind-data,
--dir, --file, --ro-bind-data or --tmpfs
+ Other enhancements:
- Better diagnostics when a --bind or other bind-mount fails
- zsh tab-completion
- Better test coverage
+ Bug fixes:
- Use Python 3 for tests and examples
- Mount points for non-directories are created with permissions
-r--r--r-- instead of -rw-rw-rw-
- Don't remount items in /proc read-only if already EROFS,
required to run under Docker
- Allow mounting an non-directory over an existing
non-directory, e.g. --bind "$XDG_RUNTIME_DIR/my-log-socket"
/dev/log
- Silence kernel messages for our bind-mounts
- Make sure pkg-config is checked for, regardless of build
options
- Improve ability to bind-mount directories on case-insensitive
filesystems
- Fix -Wshadow warnings
- Fix deprecation warnings with newer SELinux
- Add new subpackage bubblewrap-zsh-completion
-------------------------------------------------------------------
Wed Apr 1 10:03:39 UTC 2020 - Sebastian Wagner <sebix+novell.com@sebix.at>
- Update to version 0.4.1:
* retcode: fix return code with syncfd and no event_fd
* Ensure we're always clearing the cap bounding set
* tests: Update output patterns for libcap >= 2.29
* Don't rely on geteuid() to know when to switch back from setuid root
* Don't support --userns2 in setuid mode
* fixes CVE-2020-5291
* fixes bsc#1168291
-------------------------------------------------------------------
Fri Dec 20 22:59:52 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 0.4.0:
+ The biggest feature in this release is the support for joining
existing user and pid namespaces. This doesn't work in the
setuid mode (at the moment).
+ Other changes:
- Stores namespace info in status json.
- In setuid mode pid 1 is now marked dumpable.
- Now builds with musl libc.
-------------------------------------------------------------------
Fri Jun 7 14:38:21 UTC 2019 - Antonio Larrosa <alarrosa@suse.com>
- Use /bin/bash instead of /usr/bin/bash in SLE12
-------------------------------------------------------------------
Sat Jun 1 15:08:49 UTC 2019 - Sebastian Wagner <sebix+novell.com@sebix.at>
- Update to version 0.3.3:
- This release is the same as 0.3.2 but the version number in configure.ac
was accidentally still set to 0.3.1
- Update to version 0.3.2:
- fixes boo#1136958 / CVE-2019-12439
This release fixes a mostly theoretical security issue in unusual/broken
setups where `$XDG_RUNTIME_DIR` is unset.
There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the `bwrap` exit code.
- Print "Out of memory" on stderr, not stdout
- bwrap: add option json-status-fd to show child exit code
- bwrap: Report COMMAND exit code in json-status-fd
- man page: Describe --chdir, not nonexistent --cwd
- Don't create our own temporary mount point for pivot_root
- Make lockdata long enough on 32-bit with 64-bit file pointers.
-------------------------------------------------------------------
Thu Oct 11 16:41:12 UTC 2018 - Antonio Larrosa <alarrosa@suse.com> - 0.3.1
- update to version 0.3.1:
* New feature in this release is --bind-try (as well as --dev-bind-try
and --ro-bind-try) which works like the regular versions if the source
exists, but does nothing if it doesn't exist.
* The mount type for the root tmpfs was also changed to "tmpfs" instead
of being empty, as the later could cause problems with some programs
when parsing the mountinfo files in /proc.
-------------------------------------------------------------------
Sat Jul 14 20:06:50 UTC 2018 - sebix+novell.com@sebix.at
- update to version 0.3.0:
* The biggest feature from this release is that bwrap
now supports being invoked recursively (from other container
runtimes such as Docker/podman/runc as well as bwrap itself)
when user namespaces are enabled, and the outer container manager
allows it (Docker's default seccomp policy doesn't).
* This is useful for testing scenarios; for example a project
uses Kubernetes for its CI, but inside build the project wants to run
each unit test in their own pid namespace, without going out
and creating a new pod for every single unit test.
* Similarly, rpm-ostree compose tree uses bwrap internally for scripts,
and we want to support running rpm-ostree inside a container as well.
* Another feature is bwrap now supports -- to terminate argument
parsing. To detect availablity of this, you could parse bwrap --version.
-------------------------------------------------------------------
Tue May 1 21:02:33 UTC 2018 - sebix+novell.com@sebix.at
- update to version 0.2.1:
* All the demos are included
* bugfixes for the demo files
* There was an issue with mkdir when running bubblewrap on an NFS
filesystem that has been fixed, so flatpak now works on NFS shares.
* Some leaks have been fixed, including a file descriptor leak.
-------------------------------------------------------------------
Mon Oct 9 17:53:37 UTC 2017 - sebix+novell.com@sebix.at
- update to version 0.2.0
- bwrap now automatically detects the new
user namespace restrictions in Red Hat Enterprise Linux 7.4:
bubblewrap: check for max_user_namespaces == 0.
- The most notable features are new arguments --as-pid1, and
--cap-add/--cap-drop. These were added for running systemd (or in general a
"full" init system) inside bubblewrap. But the capability options are also
useful for unprivileged callers to potentially retain capbilities inside the
sandbox (for example CAP_NET_ADMIN), when user namespaces are enabled.
Conversely, privileged callers (uid 0) can conversely drop capabilities (without
user namespaces). Contributed by Giuseppe Scrivano.
- With --dev, add /dev/fd and /dev/core symlinks
which should improve compatibility with older software.
-------------------------------------------------------------------
Mon Sep 18 12:39:54 UTC 2017 - sebix+novell.com@sebix.at
- add group
-------------------------------------------------------------------
Fri Jul 7 09:40:27 UTC 2017 - sebix+novell.com@sebix.at
- fix build macro with rpm < 4.12 (non-Factory currently)
-------------------------------------------------------------------
Thu May 25 21:15:49 UTC 2017 - sebix+novell.com@sebix.at
- update to version 0.1.8
- New --die-with-parent which is based on the Linux prctl(PR_SET_PDEATHSIG) API.
- smaller bugfixes
-------------------------------------------------------------------
Thu Mar 2 09:08:58 UTC 2017 - sebix+novell.com@sebix.at
- upgrade to upstream version 0.1.7
- note that this package was *never* affected by CVE-2017-5226
as it was introduced in version 0.1.6
- upstream changelog of version 0.1.7:
This release backs out the change in 0.1.6 which unconditionally
called setsid() in order to fix a security issue with TIOCSTI, aka
CVE-2017-522. That change caused some behavioural issues that are
hard to work with in some cases. For instance, it makes shell job
control not work for the bwrap command.
Instead there is now a new option --new-session which works like
0.1.6. It is recommended that you use this if possible, but if not we
recommended that you neutralize this some other way, for instance
using SECCOMP, which is what flatpak does:
https://github.com/flatpak/flatpak/commit/902fb713990a8f968ea4350c7c2a27ff46f1a6c4
In order to make it easy to create maximally safe sandboxes we have
also added a new commandline switch called --unshare-all. It unshares
all possible namespaces and is currently equivalent with:
--unshare-user-try --unshare-ipc --unshare-pid --unshare-net
--unshare-uts --unshare-cgroup-try
However, the intent is that as new namespaces are added to the kernel they will
be added to this list. Additionally, if --share-net is specified the network
namespace is not unshared.
This release also has some bugfixes:
bwrap reaps (unexpected) children that are inherited from the
parent, something which can happen if bwrap is part of a shell
pipeline.
bwrap clears the capability bounding set. The permitted
capabilities was already empty, and use of PR_NO_NEW_PRIVS should
make it impossible to increase the capabilities, but more
layers of protection is better.
The seccomp filter is now installed at the very end of bwrap, which
means the requirement of the filter is minimal. Any bwrap seccomp
filter must at least allow: execve, waitpid and write
Alexander Larsson (7):
Handle inherited children dying
Clear capability bounding set
Make the call to setsid() optional, with --new-session
demos/bubblewrap-shell.sh: Unshare all namespaces
Call setsid() and setexeccon() befor forking the init monitor
Install seccomp filter at the very end
Bump version to 0.1.7
Colin Walters (6):
Release 0.1.6
man: Correct namespace user -> mount
demo/shell: Add /var/tmp compat symlink, tweak PS1, add more docs
Release 0.1.6
ci: Combine ASAN and UBSAN
Add --unshare-all and --share-net
- upstream changelog for 0.1.6:
This fixes a security issue with TIOCSTI, aka CVE-2017-522. Note bubblewrap is
far from the only program that has this issue, and I think the best fix is
probably in the kernel to support disabling this ioctl.
Programs can also work around this by calling setsid() on their own in an exec
handler before doing an exevp("bwrap").
- upstream changelog for 0.1.5:
This is a bugfix release, here are the major changes:
Running bubblewrap as root now works again
Various fixes for the testsuite
Use same default compiler warnings as ostree
Handle errors resolving symlinks during bind mounts
Alexander Larsson (2):
bind-mount: Check for errors in realpath()
Bump version to 0.1.5
Colin Walters (6):
Don't call capset() unless we need to
Only --unshare-user automatically if we're not root
ci: Modernize a bit, add f25-ubsan
README.md: Update with better one liner and more information
utils: Add __attribute__((printf)) to die()
build: Sync default warning -> error set from ostree
Simon McVittie (4):
test-run: be a bash script
test-run: don't assume we are uid 1000
Adapt tests so they can be run against installed binaries
Fix incorrect nesting of backticks when finding a FUSE mount
-------------------------------------------------------------------
Fri Dec 16 10:14:32 UTC 2016 - sebix+novell.com@sebix.at
- upgrade to upstream version 0.1.4
- Build also for Leap 42.2
-------------------------------------------------------------------
Fri Oct 14 2016 Colin Walters <walters@verbum.org> - 0.1.3-2
- New upstream version
-------------------------------------------------------------------
Mon Sep 12 2016 Kalev Lember <klember@redhat.com> - 0.1.2-1
- Update to 0.1.2
-------------------------------------------------------------------
Tue Jul 12 2016 Igor Gnatenko <ignatenko@redhat.com> - 0.1.1-2
- Trivial fixes in packaging
-------------------------------------------------------------------
Fri Jul 08 2016 Colin Walters <walters@verbum.org> - 0.1.1
- Initial package

208
bubblewrap.keyring Normal file
View File

@ -0,0 +1,208 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBEoEbMcBEACg2ByFTN0inbeNg5aBs2H49AtW/eGqbiWMML3RwlfPqu+I2MGC
PeOHBWjtSWyPDixrL1DGDA4Cs0uoxk98sRZE8peAhGpFEdiAcGuQU/JcJ0gDTsfj
1WKMcWi6yI5eu8NinkW2pJuMgLpxNtD2j8wfegoBttB4omXinOpCHuz7lGYenbZk
6/DCgzVeq+ssOdfjPLSJJPIyIIwhdDorXX0pvzAou168LFlDJaWx7OytYfKz1zV/
f+bwnzbMRriAClJYgNl+UT+XnHO3zMIy1mSk4uffaDXeRPPO/R6lM/u7a5w9wHi/
oKIPHJ9BmsgA5vBImuNNRa2pnOHwpBnphnpvqLm/98JAJJfMkoefy2Oc2J6PxJla
pP090sXzt6T7YpR9epwZCO5+OU6sIbK/vjy1pi0hxx847H4hrKzW67kr9o5btjxm
FybqLTT+o01n7x9/A6SBE/vVAfZ1OYm0/DoSNdKpaQtvNeQ1h5gw7gY/uT8VCQB+
ZQVRQkInAqYSzO4oYPS9ynud5d3qNllpZs77EaEN5yVKZk/36QUGoRdbmpZoMTjB
aaM6G0MUO+1FikvBT+aDmomgD+JkDOZf1bIJaSg/QtIIjq5ALExbk1XDkL++XVDJ
9Ag7U467kinjcKWuVIr2aOMMSlXFuDFlsZbeJGCqkdkc2Ucdy1p0fZPWWQARAQAB
tChTaW1vbiBNY1ZpdHRpZSA8c21jdkBwc2V1ZG9yYW5kb20uY28udWs+iQJXBBMB
CgBBAhsDAh4BAheAAhkBBQsJCAcDBRUKCQgLBRYCAwEAFiEE2pjyXAhxxJpZ6v8s
Tej/KmPHzJAFAmOfkucFCSxnKSAACgkQTej/KmPHzJCj6w//fX/1/Z8yOEy4LnlT
d+xeA1Z/HzJAykzsqbdfS2wKhglhswPD16T/Rhb8PbmyFEU1n9H/AxX/xsKcOl9X
JPTsziKg8N2HY8EcTTM79KhH6boCwZmmGtRVupAnAa7mK0FyySxRmExQhBNN++oJ
gSn+D6FWTzR21wvD4gR2U+x3uchINs6fG4f5JEnIrr7aGZPdsCsDSPfm9Jvz/MHG
E/cFi6dxZAPAVcKtY85XGSVWxI+wqOYfpVI+hs8FcXrIJ9UXEJhX9FVZ9XybrzyD
O4zfNL2LBPayQf3zgcNffA42J/sQDZwEec1bcQd7uQlGFvCRwL7egksBMSH5G0Ff
ybuxHF6uydOsZY2ZSA1a/PDRtoQ9PMN0mZO7Euk/gXA0GPi4OwuAkcyuGvu5YQFF
bmXZu1Mz6bYjdhoaeSC8wqV6x5Zw1THlRvyKKuq7bFqJksNzxaiBt7fRZDMsOvQ6
XHU7ELeDPVCvExhUPXYjVwsBvmsCnLprSwAWIlKhRnAdhUMnbyO2Kjw2KkSrJPgt
wESG2LMSdgyqPpSWMoccYRG/zn/W6vqFUZ4SpVy43HSsegNjuS7NUxartr/28CpL
f1xFIzwieBmqF047cMQiuvo2U7dQwP+WcG+hWcdvgX3k5MwhXXFOg9A+xt1bPqe0
/Vcvc3gqIbxULXlU72BUwVuSXVi0IFNpbW9uIE1jVml0dGllIDxzbWN2QGRlYmlh
bi5vcmc+iQJUBBMBCgA+AhsDAh4BAheABQsJCAcDBRUKCQgLBRYCAwEAFiEE2pjy
XAhxxJpZ6v8sTej/KmPHzJAFAmOfkwQFCSxnKSAACgkQTej/KmPHzJD1bRAAizrB
7z9KFjr+9t3iIEBplYr5/fzK9qEBIVt6pxTZrnJlx2BWf0HPaPc6BpmM8dUWEI7c
dXzjM26BFjnU8/HDpBDTmvA31MFMc9kruOn6DlVQGCNGy154isShGh5O8Ytv7VMN
r58FUPSMgP8bxyteDEZB9AzxpN7wduFgonS9jn0WuVTKxBGwQQdSfY30dUuMBfed
A+bFNAIxVGrmq6H5dyjm92mK5oqo9/b4ZzzJMl2Ii/LTw+XYiCAvwhAwK73272sF
oPcSQnBUxA8hzp6fA9/AkUhtCmkvmvckVo6pZgbduVQAGLBUwf7J5Czm8Oe02El1
01P9MetJf4NehKGkMgp3B87DkJyUZc2dWlWt9a2KaTm+8ILbj8Bx6AmLCyXJp+jO
E26sx5rnwPAZPoDz1wmYfwiKx2aUADOXR/xHgEWb+VPKKB47bbJMcGzUB7t38Ov7
Hl7ldnF0vFLlSfxlj2VUHL2+hHs0jw+KyEkC7BN0umfIhiN7JbuurUcqPZzNHIk4
SDYLggflkYS6JI8PHxIidVrVHDU/ef94Jq+6hJuH3sRu/l6B2R+mTnXKuzHUXyXu
+82R/u9D5NlJYdCUUxVDp0uAMki9jwgRguLwdiG1Xzrdt2DZXaXQ+1gjiCO2YR0W
RG80RmG6/DJ7PgnQ52pgLnOEghA8NDMmKh0Xcvq0JlNpbW9uIEphbWVzIE1jVml0
dGllIChib3JuIDE5ODMtMDgtMjUpiQJUBBMBCgA+AhsDAh4BAheABQsJCAcDBRUK
CQgLBRYCAwEAFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAmOfkvYFCSxnKSAACgkQ
Tej/KmPHzJC06w/8COGhjTvLzRozZ2f34C11f5urTNcCDxN1DJNurv/AUdNN8rHq
8qUkAxsC6c+MzVrb5brfD0YY496q2HPFdmZX02izTGyo2vp8n4RC4Z+u6gcmuhkU
bN+76T35kRO0+k59S/mXWnvErLcyWxgx7fjf6/ZskWNoq779siB0GJ5Ly0ZXGugb
GhO+QiZzMprJ9rXzsJJAwcQNRLTclm2hSUAtFd+3lQQVWy9XbMuk8Lng8NC8ReDt
es/8ZI/jnwmUz1oR3pewJjwhfl2jKrhplitWI3wcf2PueHN5/qbJq+M9xBCMaYj4
LrQ7jSmEMi6WENRtj3BiZsYtGwkX7yc2EImojZZ3iAgpG/hVdxKosmRnvcEjNtOa
BrNfjupYhH+7t4eJasHwQNZXJn73/qH95rOtF4STFvlDfpCJa/foOisPc2DF+nhh
Xtt7Uvyw5c1rvrNd67crvJSfsgV+WbaDM735oGboM8KmkRQSPcoMj8op8ER8E/oI
vKeVJHNEq+cBiql3AYcmzStdFXM+VMeNUhCSW5cUT0mLuxDuRKyRq0bvpjfSUs+j
NP/ETzD2f7jCQQ2uWdJ/WvLxwEwcoevSBp6SH2IP1QISmxXeohuKV6yb+UrzL6eB
nh6cl9Y32OUayA+eLBXmOcpgk+qsVMkb9iDxy8Igk9bYpYSUv4fNsKh5Wvy0L1Np
bW9uIE1jVml0dGllIDxzaW1vbi5tY3ZpdHRpZUBjb2xsYWJvcmEuY28udWs+iQJs
BDABCgBWFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAljO8AI4HQBzdXBlcnNlZGVk
IGJ5IDNDODY3MkEwRjQ5NjM3RkUwNjRBQzMwRjUyQTQzQTFFNEI3N0IwNTkACgkQ
Tej/KmPHzJClKw/+J/7A5uvxfAbJ5Lz/mg4K3owJw79Az67E+J+onM1vYBS+hJxw
6cxgzx6LjWVMp+Qnj3lolJ9Xb8X6a3HVSc/sN52FxDqI7M1UrhsvbreRu2quE8im
o9EhtKP6GqrLlVDuq/59WGgUmwN5DZOGkJ0DQ5Sv1H92RvcGKJkVabIAKUadehg4
9hAyrn2OhCqo99a/I2vujAsudOJC8Z7JG+xy1eOZccmb9AEmim9hs9CigR2GwbIy
PrRHMmehbxGVFqot1rkOZh8ztrYskuHQdZvlO/CvIh3oFW3TwUiJss4eGbl8CLiP
54Rh7IRggMKlmtWr6BmCSGRsxRQ/ccvjn/NUFynlGxIRh/7UzatMNriuo+j12VQ0
QGsHmut6GKfi9ih6nCXEEtGCUDKaQ1llD8zZIuq6+ITIojrc0tRidATYitU68H2Y
SEIgEGGqFPrjmj0Kife12hDT0tLq2GrxO7K3UAWi8F43o+Rs/RkOnBVAuW5oEUX9
1Vom7WaSyoBnYFiGMjtFl1tiTUN3Gj0nDOaHJl4eGvO25Tq/y+mTp55EdIKUJUW1
vsqJneXU92vziw45Od5T9EfW2XlfUn7TiKgLvCq2twMF7vdfc4B4TkNJUZKIOf7/
7A+uG2Jmv1aSioqIWG4KZlx7r46C3Zh4aasvqvZqFeRTgaIYwpam4sLiy2G5Ag0E
SgRt1wEQAMSwM5piHmJxjWe4SaekBldmZ7kbq7b03mtqGOL0SsSr1AE4DDzqWEeo
6DQhQJvkKLmAnSchmjVvNQ4zID5VP3pGTR5D2akPt1ouX1SyBoCfDdu9SNzYvWnr
gAc1MfVN4Su1lG7yi3RU+m7dAwITcN+BUE4JNWXudees9yfNq/18TC24z3xZbfYp
w1oCWeey03hl5U1PrPl7Dw9xrBnjaqWm215lUhOcjUTHQdf6C0xePH3oS+696A+j
Si8VPCG7z6AJNlmCJvaV3aeFjvNtiWpl1ZL3vVzhIKxulOy+p7bK/ZF9OPhT5f6s
XS2e/ZRuGt+62s5q+n1r7X28BuoYTgJ/5wCs/oU4IX9zmtK/v8lO2/pMpE9iCwd3
hFt1tPAckD81uVycinxZ+qn+mT6OBH/5G9YEw7BUyaNy/aq14H4cZ1TsZ0nAlwNa
bvyyQIo1NcG825A4uZ+ZLztvXE8obbOOLDWSFbWB4NUQBqAtxIKloIvMUFE0WIqC
gIs/zIIcoUJRn8vk02jm/zaO82myoGzRvivZdztZlCGtsJjsLdbm4dzP0oywdOXe
S0YqWjiDuNNLbye0I9fVRvKojr0ban/vx42cUy91CloBtjoNuCWqpmqzTdFB7xc7
PWMNxQ6VpSjcsKH83O7pw5/pLLXdY4sl/SdRHFUHjhS+uGfceL4jABEBAAGJAjwE
GAEKACYCGwwWIQTamPJcCHHEmlnq/yxN6P8qY8fMkAUCZh+xewUJH92qpAAKCRBN
6P8qY8fMkFBaD/9HOqzLmcna/46w8HY6tzrUWoIMTleUBkFpWsewJalipJoRjfI+
rJh9KYnOdZKnFy5F7iz00FM3MBcVif3BsfkjgkbbJ6WPajRSZg7llnPDOgxT/iyU
xb3+qgX9HGh4HmYW7w1YlYzhjrQ/wxB5AziyZac9HBbuZStcb+olC2c/V+YlBNO3
QQQ/Pb60vsMmVZeox5RPfBtjyZP8uciEB5w9vv3/t1YliwJx5GlJM194XOiqzImH
9Vo4h2L7YOVtaa+KChb24GShBzc/VsDFeljH6SCIaWzq3TGH7hpEC0fP59xQ+MFZ
58CqQ98WnTJIRXInfqa5o2gk7SNEnPNmPuiVUSjByWmSv1haxjhMciGhik69m+82
1i+4Z6PCU2MypryTQLuzwTRTsX/Y4120172ppQEexV8jhATKTM6/62X8u9HvRctK
Nl/+bpQp0/FK+o2BSmYAuvSOQKcLr7IxlqVSJoFMjnUQENSeBUg+n0XewiilN6cL
2ifK6qOxqbOynffFbWpO9FqjVZHKM/3oO/CmKQJ46FHjqKAnhnRpG5j/5Kj9BBJw
Y+9xetfa8n1ES80NwCQZcEaa7xD08kqq8aWHCExDGnWohF3/PYEdO+cqTN9RUN6H
YWHi24Xs/S7D0my+ubkpnfXawhPbeSx0Eq2iQJ/685QE/G+kKikbed887bkCDQRm
H7ERARAAunxdA+AKJdY8BUNyuxD52lg5lzS27OVmrfkcSVpp01homz1XjJxBYfY2
akIhze0R1+2e34u/L3rqsD9m5rxi7OlArpsfszgz3cCqk/4IFhoo71SMrjrpsmIw
MRoheBwQGXFOtB96I1gnzZ6/Ya10PNIrWs4bQjpIf4PzaV2Q0SMZZWzq9wgSnIpY
Bqk3LHnmGMY/2/JJLsaNrmc0phcBEBrUdbvAjj0zblW6873DI0aqFvkwZQPDXh3a
HcQmw8bcDsuv1XPq2Ik2+NXiWFZ6pZWqCjwW+QeUurCDVP2lq2dNvrZBBnaOnXYZ
jE8iT3zg2orGXdRgaQ/qnQH+vvF9zZkCBoi/wca2Zi6wWitb0Hk7M8igALGHaxwh
CMUVlpNIFO0lx4V5dOZI3vUBdGR7KwMkFXcY1X33cB64dci8cjKpBjvUcTWwaFsl
QdtxX48CaX3cf8x2b5qBhDv1j2Jh62P8lK4NyTbwz3EwAvliySLGf2HYOpq4nU8W
j3D1Lb1LwvEQ7ulXFIcML059SLA8amILLqkqs711TPka7NmMrfFUeYaYQ/ddJ7rn
ngDa4HEPGEgzw3oQioQkDHuE80PkGoxpclEpkY40+ZOY2CgkbBHul1Fx4w8icg5Y
WUPXUqGPze61NZ+TxrPfrWZfApcAErjszYDeRHa4PD2tIFWJgS0AEQEAAYkCPAQY
AQoAJhYhBNqY8lwIccSaWer/LE3o/ypjx8yQBQJmH7ERAhsgBQkDwmcAAAoJEE3o
/ypjx8yQyTQP/29LTZR0640S+7GdukXXPpkFrNF/NQwbgSCPpSnnuHMR+kPCaSmf
1yethqWcAYKenWaCi0f634HFbn6GpkgTd4w8dk0438NikKZOQ1PrEfcS1Q/lOiW9
p2aO8qer2EPSar/m6gyNTx6DX4qNb6DJXVdBsGTZPa8j9amLLoGnVA7qjt0S8btX
V4xSsTGLLJ1MMAoe86tr9Z43RD/HmRC6yZNI/zKA7TGvgz/YK4lMutcFfLwyM/CI
WCIJ8AIvV2hCQVAdEP/sQSS1OXDm7bzc6II+tq/2oNqeV1BLzh5714X/+XtizsRa
RrqdrZad8cFcTsvbQuWirxGTKPuEs2VK+yz4XX4HHSgIqSBU+Y54HGpyMMECqK+f
xclFiVTTBIEgDUeCfBpyKJ/+O9/dMpkYzhqjF9bzHXqesO9WK8b1AFVVDdU1pJxb
TsT0BAGFA5yZmxBkXnGgNsciJhADV15IDsft1vXp+stU/TmqoGRzxb0JBLscTSwp
zsqdCRbgcG7+cSrYGBXFtrTTYPXLfJFdS6Zj1Z5/XLmixLYg6fGIh3+zGO4WP4Lj
ywrc0VR7dnQteRkA8IWaDl+IEZFE7455F/G9D0XHmBRy52Y7++Y1+zTIjJLIP8F8
IeZHNdYxZVF7s8sGk+n0mvHmtigpb9vc7bz1KQpojEDi4uwFb1Bl5BkkuQINBGYf
sPYBEADMmaLRAvcX9Z7orMRamv7VPeCBn1Y6/qjZDIcx1RedvzkcLXaIjcfqIPmA
78JtMJ8CmSExc/TqIFeD/gwHAyhUDh9AExtlvzo7fXMBgi97REFwPk4YZJwRiIkH
CRBQpYK42AbOnfr5WXB6R4MH9dWusvyevRgtsYqnhXFXpNUeD3XV1hbNJZTNmSJ/
6mFn6APfPjciBSPDMLLiLmzsIsaRq6YBrcs/d266oFQhZ+usKKqoVg+bXKxm4LpX
igZ62SqwwzCFDtzttYHQLF9XLHL0zy8aFmVWRU2WQjlTQmr6JC/iOl44GMSwTIhJ
J3yTD6DS0iLOy+PVyZjspoET2iemExe+bne0PUNCV753/aEf9Jqx9IuNBb5XcFva
3oWNiWJsHcCa5gPCE1XpkRt/vBibSOhm4/yHWgH+mt15JrfAohUtPBSzfSRwLPXK
ko+XpqdUighuqEZYqitHHSiiwfrbjh12O0XTJ8DDYRay6YMrbvCNo5QBKWj/UHNn
tgy8esqAi22MqzrYzLqTD5+9vBxHVuY8GCAm1ULNxltA8hWPkgDWogdh5QfY00/j
tYzkoPcf0SlZwTe5a4bIP+mVYlab7wq4qNkRlOYAHNbZZHnI7sRY4eVzsyMO9Y83
Sw1PcJPZ09NYrtkAyynmwPYKporojp5kb3jOrI4Pi2jb+E2i5QARAQABiQRyBBgB
CgAmFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAmYfsPYCGwIFCQPCZwACQAkQTej/
KmPHzJDBdCAEGQEKAB0WIQR6BzrRrmlPolv/YuUjXAmdPrMwdgUCZh+w9gAKCRAj
XAmdPrMwdjW5EAC+a3xPNamOonKe0WOhSbPdTzfSenb0tmLmK5NKm0PCDNT/O3Qh
7++MEA69NJRIF4TUsZv6eyDN/nulOoFID8gxK9CPG6gCW0QGE39rzrFcZGzIa6ql
70YK8tSsuDQcwbP0wwUynIpkgqeyNj6jrRi5ggGLGVj8GfV/d2MZJOeOBPqPuFaA
3kqoubOXK4tV37coTsycfmMZfMWClGVHba4HfPtBSw+ocTrRfPtC09WdE46ggkm5
ITIVOgG56k4Z10GT+gAmSIRIXOdlR4ZUEv/0BojLsVrtaSCCDJEYkL9ricpWFxFG
I9IjVHBKcsl4Yi/19QgRhqyc7JQpawu44l9FKV/9eTPBIwOW35RJ/7aOIeaxOb6N
ix5kr7CJ4RmX3fz4JDY0HybyTwkfKevsDlz21G/IJp67AxtlaKDxtfmfYcv2quyC
00ges7aW4ik/TkWGqEPkrq7PAxcUVKHEzUQCGvCS6UvuFpy3F6VzyAlGuqCng2Ry
O3Pw8/flEAZQ7bb80R6fwnq1XC/V9kuDhSM1xY2K5X9lMMovmykOKqVjgzyfGkai
nQlsSVGCtcun4eiPVpzoZJJ795fcNe0dKzquse4EGjx21qIlBZyTr/3BxFpDL7HV
w8CnNP+Xgp57oc/RPiwgSFgec4XkwUH2dA+6vTIi0IJn6UXPeITh5PscFxU7EACL
vaBwq74XZfnnpwl58ddt1miAkdR8cRKEfdXctajFgTuF8xagrVOlBpasvyQjrE4H
n+BWedApHS1xKnOzt1fNxgjHO5oQ7xW+zfu9QGl9Jo7tqAZuQfZWnzF4Jijtz8Aq
S8f0IgFw1obLrFhOAVgtnhQTEiKSkBLGb/AzcjBMmmzyHQXnFS5AM5ARAXOxJ1hm
k9/UDZhzjKsgmtmyLFGeL7+4031IEAe2rrgRMcDXdd08e54bH4be+KADDYnnrXQC
/oey9+IuZE3Wa9LsfbLkFPbc9/Ec2M4Sll525uWaGR9tdOESECKXPXskF/Z/U+nh
R+hQ5UP7ZA+b7y70TmsRIhsmO8Ysvcs0WABv8radHqCflMPcaRw34APz6SDt7JyG
viD+PoTN1HMQT5IccD4u1D4y8YO+ge5y1RhciXtzJrIhzhFInyhqGPJmD719K/fq
ooDGO7SMUL9XYcz3TwW1JoXfhhHpztkF004gdE9CEJmWuu9T0SIzBKEOctmil1B9
YqKtxyUb8sj/l4xxH7zMlSh+0t40ytIDt2uragDDVbdV+4A3OSlNTu8adPbAc5Vz
qUyLH8bmaN+Trgek0U8HGIWdc9TE4p/ussaRgB6C7edDp9Ru9gTYUuKmSHs0TXhV
N0m9J0v6rnnJ8G6qPmCTRmiTd2KDK+AlIQF7jrp3l7kCDQRZV7yuARAAs2t1cYyI
MO+WhEqKqK2M6JzBFBP6hiUzy+LOfCK4zQ2kBRM8RE2th2f0wZtQjsh29hFJ2Y/Q
HEcGqPFtI0uC7fAB1G9zcEIdlprr+PEgGg3i+dufewNIYTPmCQ3ckOnhxueUYwdg
SDL0em15UTN2RfQSBsDa7QhhzA1qa3bCqWMHelxarwVAyZLQ18NUx8W4WmETuoqP
n+4X/KeoSbBhDbvxbbcnE1rvXUavr/nTG9K7FSqipI3474aMZa+8ABXc6Hvp6GAX
vOf8fdM+E2fRyAWEBX33ttIMnzCQZ0LXu0TlM94o0o6NgsHRC0+gw8xdYluxjdv6
sXS2Z/aMbI67ZG9eERXFRnclYYCCHLmHXcZSgg2GQpi+EHW2WtperDb6CCnmaGuM
P9iWhtST4p5jst8AsansHyRmCqmuqzaj1Tf9/ThRtm4JNFfgSmqBAejoK0wUPNOR
pPYq7N7JF0BT8Y22+QxqJYykdfIEBj5fthzTZaHxxVwuWd8ZkyAD+T0Q81riZ/UR
uBZ3BvcbiPnhbpZjyR6Y5C4bfdWhPFW7yuHNsGIw+8BYpMfzSPyY16mo0gwyCp5F
GyQWImIqA+CHlTRZcJyVOTs5zTFZSsdfzlxDYO4lIFq8N33na/O1GfFDaH4SShMw
Aqc1a4AJD3LOTlZuu4pFt5PMvswyyqyXw0cAEQEAAYkCPAQYAQoAJgIbIBYhBNqY
8lwIccSaWer/LE3o/ypjx8yQBQJjn5N2BQkOCj2uAAoJEE3o/ypjx8yQ4lcP/3w1
1MtMf/5IlF+xBtYENcu5E3YWT2gdMe1QNYTrttjEzfCR0uHTtfX9a/EJ8Fp4MJBJ
9xBTz8qgXG/bEAc1Kd8onSaTznEpjKml0MJBF2BQDdAXWCMw/6mACH2KWGA7gQYd
rJFoCZTj8lTS/qBDTJMXZ9Xj72PHKI15J3pS54Is2Jj4ZLGxlrgMUPVFKq1XRAiV
32dcxDDvKyiOCVeSAk4uV+1gyWw1Z45dip3bsBE+Xiy06BCP7NB4x/xkWPzc9L9h
/cV5WGRUqWYQgRnPAir0hMkfdZXwjE5xs4a/TK0hU3YpbVcAo7ZOiuHbbVJ7v6Li
7jqGZthUGgwcHuRAb4qfK9QIQ9MkBoHilxewrUMMsioDsLXmpRot+N1ZP9vrh3SS
ynVX5G/iJLEqzbEfXang+UWA4AHgGeggp4NZcyWpliHlEkAy2iU/ffkxaKnUyGon
/iB7Ag/BiCtKuD119Vme8jipjOZYOqHdqxxaVNDGQNF/O5mLO2n5C6OQkvoix8Im
MuMnhlc1mEErmwc14qplwFTCyoSvSSptFnzTw4Onbfl7FEsjTyoh7qxzZgqe1WVi
teuieUQ5/saufp4wbv7aNk/scfCuRytXrd0UQLIAjpPSQVWg2gud+0Tg4aBzcf/q
lhShsXE+DS/ewdqFJ2yJQ6wnV9O/Ge51sFI5g6H/uQINBFlXt+8BEAC5XfTqbrAi
+uYWuKAGBYQwxgbstCE9sU6PhzyLPT+HzoC3tJrKfZrk9VwcHpy2H7rk8++6wfJd
fdXgVEi6gwYP2XA+DyjQKRBjEg2PeCDVOfKFIz5b0G+luSNkOaPy/CQuMY3slGGx
EldymrAF2xaVPRs1htzoW6YjxrTb72NUs3DrFtcFNfRkkqBtRY9mIjt9TJh52rZM
TR8fOryj5o15nakiMIlK/G5Jzh4oo2MA0FIrv6ysH6GorRdoAFCXE1PwGegZwDmr
BBzyr8bdaHqfCR0Bi1QRIcO+V60o42tir3amuv4PXqJWYrFkvIPZ3EA+4TG4I/CB
DR69SAk5JYWy1VEtawvo8ptV/RXBxKPcPF72qZwEc6LvG5XxCvFNjttqmBijTiWA
ok7h03UK0WeHquOaDVLjalnUSMBZD3LScyNh/xJpA7Y3a04sg/dV/I/zy9vqGiSK
/1JQVabbF8zXuJQ+PX2jaH21yTRsKvlHKbdr5tXogXESpKt5rDFnwPFNgFX7GYnl
G9Zg21P39crB+ZivTvciCrtxPJ8zn2soVhAREjCwcOjExZ3RFG0Zoegfz636FS42
P5Vte14dZNIMBcRlcWCcxQnEjxvu8+B62yL3lvMMjj7OrdWirQreqrVKmItXD3bp
Q4lNxTmMlqycCCR+WpMW9wJvksJ+gGKiYQARAQABiQRyBBgBCgAmAhsCFiEE2pjy
XAhxxJpZ6v8sTej/KmPHzJAFAmOfk2oFCQ4KQm0CQMF0IAQZAQoAHRYhBDbsWmRI
pPXveb7+mOBa4UePgUxPBQJZV7fvAAoJEOBa4UePgUxPXsIP/0snY8VlwDpgD2Zi
mCI9sBDtNYo80J0whOn6ls8Ha1u1D8T9JPRBLhhPMP/Ftu5cVhnBvjFHhMBinbjB
dWnHQuda9MMxfb3SGK4S/gJ8CbIC/fqP0GC0kXvPslFkYLR1hef2nlj4qDd0otCV
SNOB1dmeeJ6VhPOcfpfyOvr/bDCvRYKI2XM4aLqU1YUjFZu4XvUkv/zHi5ohC7ka
M0WyEwUh5RXZhxMYDbonocdMnHkIAt0SFWBeUSpcQYQg70Fw15+xSFKYAhpjO3r8
FoFaR7Lp3yFgHZf4kVla2XDqfN203nROYUf9V8lOwkaaOZrxFUFvXGA3EkQpn9mX
ou56vq6PoHISPOROFE+eSrCJXlQkpxBGO4jQpub45eyWHItV4fIe4zOFwjEx0pVi
MJgt1Iib05iDP7cSithdllC77OVRzgNmYGed5DkEp/YjQmUr3ohCuSCZIz6Cz6+j
vtLLG4/RWggkZ6ktK43ED293B/YxceeQr4gflvnrdnGK1D4MrXE6D21+CaIFqb00
tuMGGCJ7CBx2uvM7GAche6hv6SvCmx1Q6WtefJsU9PQQxu/SWkHKkPJlgZCgZvUq
GI9xukqG0DgSUR/SXIyAcjaGq9UE2zKuekeAihGWsduwr4cCTe18sP3HGEYHEL0D
5hX0KR78ryCGt7NR7x6QWrFwElK+CRBN6P8qY8fMkMWTD/0UCzVWU7G+rWSO7FB5
ieryleNJm7PN7/a7mhZ02te26pK2M4hB7II0hJGGPi8IwxENvoEpzmzLHHSyFrly
il2meimCophIHhWnRxLQfAQ8RZzdNbLcj4L2JNMMxPZmkeqMcvEjikWePm9usFvi
7tgwsGFaC6hLRqBBiHSLXj3cYDreCUMCbEGk279HPEqFlVYgNpTxK1rPJAVHv9Uy
D2BoAX2vI6ioMsJzoSMvOA89Jmz3xp52Y1DmCBXHKV7Q37oPa+ofIQAaRV4bh8mT
SqHu9Um47qij1Uwb3JR4dgMdiuMvfQYsL4/Tu0oJa2Kw+QYhRhXCJMYHYKG7n3pP
tt7rvA6407FZXnHcmsCurQxXu03+3nhfPoxhSFou1s+mDHl/mft5p9E+Pmxbg4W+
ElqXpkmKyN4ckHCtLzId6Cgw4zHbC9nzgTRw4uKY+bxukvcdv54G720Rl5UJkILz
e+ObWzuZsILibop2tDSY/3b4a0y8HiVxsIBHqoI8KCce9xLebo/mdj79mZmfdAkK
axGeAcqchtvCFAju0xTl+v68Xeeh0Psb50HLa2X57v3Ay1wIaiCy+HuGQfN9XgFb
KzVkYwaV7WNlx4Vr+XYTHxNBcJH+TXSatVSToCb6vNrdfj8lmST6Yhnr3iVlUdSN
pVbHWbZSGkUptYFdg5psy9Tniw==
=861B
-----END PGP PUBLIC KEY BLOCK-----

89
bubblewrap.spec Normal file
View File

@ -0,0 +1,89 @@
#
# spec file for package bubblewrap
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: bubblewrap
Version: 0.11.0
Release: 0
Summary: Core execution tool for unprivileged containers
License: LGPL-2.0-or-later
Group: Productivity/Security
URL: https://github.com/containers/bubblewrap
Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.xz.asc
# https://www.pseudorandom.co.uk/2003/contact/
# 0x4DE8FF2A63C7CC90, fingerprint: DA98 F25C 0871 C49A 59EA FF2C 4DE8 FF2A 63C7 CC90
Source2: %{name}.keyring
BuildRequires: docbook-xsl-stylesheets
BuildRequires: gcc
BuildRequires: git
BuildRequires: libcap-devel
BuildRequires: libtool
BuildRequires: libxslt
BuildRequires: meson >= 0.49.0
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libselinux)
%description
Bubblewrap (%{_bindir}/bwrap) is a core execution engine for unprivileged
containers that works as a setuid binary on kernels without
user namespaces.
%package zsh-completion
Summary: Zsh tab-completion for bubblewrap
Group: System/Shells
Supplements: (%{name} and zsh)
%description zsh-completion
This package provides zsh tab-completion for bubblewrap.
%prep
%autosetup -p1 -n %{name}-%{version}
sed -i '1d' completions/bash/bwrap
%if 0%{?suse_version} < 1500
sed -i '1s,%{_bindir}/env bash,/bin/bash,' demos/bubblewrap-shell.sh
sed -i '1s/env //' demos/userns-block-fd.py
%else
sed -i '1s/env //' demos/bubblewrap-shell.sh demos/userns-block-fd.py
%endif
sed -i '1s/env //' demos/flatpak-run.sh
%build
%meson
%meson_build
%install
%meson_install
find %{buildroot} -type f -name "*.la" -delete -print
%files
%license COPYING
%doc README.md demos
%dir %{_datadir}/bash-completion
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/bwrap
%{_bindir}/bwrap
%{_mandir}/man1/*
%files zsh-completion
%license COPYING
%dir %{_datadir}/zsh
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_bwrap
%changelog