Update to version 1.19.1

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/crun?expand=0&rev=58
2024-12-23 10:09:14 +00:00 · 2024-12-23 10:09:14 +00:00 · 1f255d57df
commit 1f255d57df
17 changed files with 1104 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/crun-1.15.tar.gz
+++ b/crun-1.15.tar.gz
--- a/crun-1.15.tar.gz.asc
+++ b/crun-1.15.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmYzfXgACgkQZ+OPeoui
+F3KNlAf+JPTyqSazEqx+TWdxHwXhzdfaWzgJ7O0mtM3KruCKIodvF+V/tsIDJrwc
+gF5tGgLVBD9Tlt+wzCSaoWbxEbz2eZmDRNVtxZt6e/QfHSID8PzVm8jVZiBMmy8n
+wPs3chVGM/T0Fh+8hBv2fmueYWPnSMnA4SSxp6eNjAYt5H59OXyVRw5hk0lQTzQQ
+U+GeMRTRVkorNq8dZ+LdPHg8+u5ndPCD93wfdelK2wI2X4UlAcTA2qcuL1MowCCC
+fqPigsOGiRNjzDCfptbCrG778nZu32AGn4ohBXmxoLDbfz2X3ZjgySzSZaVb/D7S
+R4c3fkxsV7PNXt6sNx+J8UAGntztBA==
+=pgGE
+-----END PGP SIGNATURE-----
--- a/crun-1.16.1.tar.gz
+++ b/crun-1.16.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:70548de4874f0c9e7e1e080ff092e23f8fcc772a23261ee26e26d79f24df289e
+size 1760357
--- a/crun-1.16.1.tar.gz.asc
+++ b/crun-1.16.1.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAma7dj0ACgkQZ+OPeoui
+F3LNNwgAidlpoqDuVBqh9ykjXfA0fnZ58NpWlU2wuHTk1zt+3vgTuFNGKmSimEZI
+c8mcgjq3nvTTmCBWr6Qikh5neSCerJJ+eprvmRQwHHuJj1sPoM/KhmVVc4pfLhQF
+B9MQxKrWf635TRh9r5V8kpx0K43ffL7ZVVNJ6Iumm4G1MOaEqpSZYSkgXMePFTGB
+kRh9zaHJ66m50i7ctokyfI1Y07hexviDXOhJi5znA0Y2GBSoiZLQcY8hwB7xg/m1
+vd9vI9CHA2E05dWE/Zuz9v/1YRH+hb1fRpnJP6LQPYjlUM/CnmMEDE6yJjQYwDQU
+Gu6uuqxH3nXMPJzv0MFpznEva5eLGQ==
+=++ex
+-----END PGP SIGNATURE-----
--- a/crun-1.17.tar.gz
+++ b/crun-1.17.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b766609814c0b0a3c0d2d235af1b061bd71da1aa2e8bb181d66e89f1b9a4e874
+size 1773153
--- a/crun-1.17.tar.gz.asc
+++ b/crun-1.17.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmbe+kIACgkQZ+OPeoui
+F3Kr8Af+Lr1TLt/nDA6Dgjo55pQScbgAa7nq1iM2yZEQpq2WwpXvj6M15pZ3vWAj
+kzeotA3JX3VrggjgLZ5j2GPh37BQfNteehX9yae3AkaltLkANZSaAbekqWCvX4Pk
+PeD9LzPLqOHGBCGi58UjeXl9Ov4bYhrDvIv7+LL3Q5qG2fp2ynfm7IEhSz7wjXns
+Yd6rqbs+bP+RlJUp6fcy5gBZEoCrLiBBh9TH1mPHURkzSsJNCf3Vqm2pQXfQlHBU
+VtWZU0D5XYnhyBHSPmZCdMjy7WAdACYN9euBDP2XhXSvv95bQy/NLC/IMUDJq5FL
+/ihOb/YV2LpSGoUvbBOliIdqtbVftw==
+=jC+F
+-----END PGP SIGNATURE-----
--- a/crun-1.18.tar.gz
+++ b/crun-1.18.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a83b70b350e50ad320376685e975afae535dad64e982e2b7c57a0db45663902a
+size 1777725
--- a/crun-1.18.tar.gz.asc
+++ b/crun-1.18.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmcXoUIACgkQZ+OPeoui
+F3IG1wf6As2b44CDAgYZA1avwOV5RZYe2koC9xcdZNq9zCr+qcbubHwbr4NB0zc0
+L+QQWpyMmnnQkI/7ZFphK2mL0OB68Rd1YHjZh9S7oIkF/u24/+18ZoBI1hZsz59p
+BDUnRVLJLOyx0Hk13y6UcaKzHJq7nX59pquSSS3VHNKu97J9TgAUwCcWaoaRR8Zb
+7tykfXoEgOajRhU1V3AawDGRh4HZ9wit1GCESWawGx/UYH+VJtMX/ruZmn/QUjzs
+zJ/XFN+jQ7IdBXVnrSk4Nnd+9PBrvqmxY0D8AgW84q2peWnoi+IdZqtQ51fHQVoN
+pKZxNC391NpQ+DMX81O+SL14NUORXQ==
+=nft0
+-----END PGP SIGNATURE-----
--- a/crun-1.19.1.tar.gz
+++ b/crun-1.19.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:32a9f283066640141a0f4401ac7ec7b5dd076b9632ab7e2eb53ff2c4e77bc8c1
+size 1786019
--- a/crun-1.19.1.tar.gz.asc
+++ b/crun-1.19.1.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmdh49UACgkQZ+OPeoui
+F3JaKAf8Cj1pfuua4Xy+K3LRG/6kANrkI4N6WoHgu1iOqFka5bEMDP/TTVx2NLAm
+vAd2wHEArtYpSyHi4FMYrqNmKu2t7/ng+FRKOQyCj7gBvc9hjxUysdDVunb1btZV
+C6zUIe3B3ZxlMhZPfNBGGYBWLKZzY9QT8Jf0Z+7c7qgx3YpMfZAmExkM8IdGi6Ft
+/HsrdSTjY0wUQT4L++e6eU2T/rk8k6TawMk6XI+AxDtIuUNCTYW9EhfN4C5R55VP
+CPrfv0xHUDJSEVPDATVLDPEC+X9zSmWiJqwztR/Tu+qT5T0hVd+SjZPe7NuAZpKf
+H4i0oYnHeg1pCldG3q4audpkUH9DHA==
+=V2ke
+-----END PGP SIGNATURE-----
--- a/crun-1.19.tar.gz
+++ b/crun-1.19.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f37ae4936832a4bde31d50028307e83bcc7af80f2d36779f4ac7c79cdfe682b0
+size 1783246
--- a/crun-1.19.tar.gz.asc
+++ b/crun-1.19.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmdTDcIACgkQZ+OPeoui
+F3LtrQf/Wpgo4cSvwBuyEGRJfwY2U5+b0WK6oyQ+jkOuuIO+wLPURqLZjJ2ssRy9
+DQ8SD2qwG9yJKXg6LQX7UMX2SfHuKPD8crK0XIYDwiwT67Y9+OX7He4GLEthJPa0
+oyVgOEbi7Ph1U5I7K2rZ/+2PIhbZ+W3hY5nQyHv49vdW8dpxYsqH/8pFJoJNPXr/
+7uGNL/uFBcnvg4FQTLKoVK2gdREfgkSYab8/kh7OlCbj2YxAWIonBcPlN6lbQ+/H
+mPQe+lxl10MFikLK78uIptXr71rSfuqILtfP2FqEkq7uzrgmz2szrFpljLfAravR
+/87H6SqsdvB7RUxS9SaJdAsXWa+atQ==
+=GD8P
+-----END PGP SIGNATURE-----
--- a/crun.changes
+++ b/crun.changes
@ -0,0 +1,562 @@
+-------------------------------------------------------------------
+Tue Dec 10 06:14:24 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update crun.keyring to point to primary key. The original packaging of
+  crun.keyring used the subkey 0xAF60FCA3CDAA6DEAD157EA3A67E38F7A8BA21772 as
+  the key to verify against, rather than the primary key
+  0xAC404C1C0BF735C63FF4D562263D6DF2E163E1EA. If/when upstream rotates their
+  signing keys, the old key verification would start to fail.
+
+-------------------------------------------------------------------
+Tue Nov  5 07:14:16 UTC 2024 - Madhankumar Chellamuthu <madhankumar.chellamuthu@suse.com>
+
+- Update to crun v1.18.2 Upstream changelog is available from
+  <https://github.com/containers/crun/releases/tag/1.18.2>
+
+-------------------------------------------------------------------
+Mon Oct 28 09:39:05 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to crun v1.18. Upstream changelog is available from
+  <https://github.com/containers/crun/releases/tag/1.18>
+- Remove URL from crun.keyring source declaration. If the Ubuntu keyservers
+  update their server software or some other minor change causes the output of
+  the key to change (such as the maintainer updating their key expiry), we will
+  end up with build failures despite the key still being a totally valid key to
+  do verifications with. This also matches how keyring files are managed for
+  most packages.
+
+-------------------------------------------------------------------
+Wed Sep 11 20:12:48 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.17:
+  * Add --log-level option. It accepts error, warning and error.
+  * Add debug logs for container creation.
+  * Fix double-free in crun exec code that could lead to a crash.
+  * Allow passing an ID to the journald log driver.
+  * Report "executable not found" errors after tty has been setup.
+  * Do not treat EPIPE from hooks as an error.
+  * Make sure DefaultDependencies is correctly set in the systemd scope.
+  * Improve the error message when the container process is not found.
+  * Improve error handling for the mnt namespace restoration.
+  * Fix error handling for getpwuid_r, recvfrom and libcrun_kill_linux.
+  * Fix handling of device paths with trailing slashes.
+- add url for keyring
+- enable leap by disabling wasmedge (not packaged for leap)
+
+-------------------------------------------------------------------
+Thu Sep  5 13:18:43 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- new upstream release 1.16.1
+
+1.16.1:
+
+- fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint.
+- inherit user from original process on exec, if not overridden.
+
+1.16:
+
+- build: fix build for s390x.
+- linux: fix mount of special files with rro.  Open the mount target with O_PATH to prevent open(2) failures with special files like FIFOs or UNIX sockets.
+- Fix sd-bus error handling for cpu quota and period props update.
+- container: use relative path for rootfs if possible.  If the rootfs cannot be resolved and it is below the current working directory, only use its relative path.
+- wasmedge: access container environment variables for the WasmEdge configuration.
+- cgroup, systemd: use MemoryMax instead of MemoryLimit.  Fixes a warning for using an old configuration name.
+- cgroup, systemd: improve checks for sd_bus_message_append errors
+
+-------------------------------------------------------------------
+Thu May 30 12:30:26 UTC 2024 - Dario Faggioli <dfaggioli@suse.com>
+
+- New upstream release 1.15
+  * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
+  * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
+  * release: build s390x binaries using musl libc.
+  * features: add support for potentiallyUnsafeConfigAnnotations.
+  * handlers: add option to load wasi-nn plugin for wasmedge.
+  * linux: fix "harden chdir()" security measure. The previous check was not correct.
+  * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits.
+
+-------------------------------------------------------------------
+Wed Mar  6 10:06:50 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- New upstream release 1.14.4
+
+* crun-1.14.4
+
+- linux: fix mount of file with recursive flags.  Do not assume it is
+  a directory, but check the source type.
+
+* crun-1.14.3
+
+- follow up for 1.14.2.  Drop the version check for each command.
+
+* crun-1.14.2
+
+- crun: drop check for OCI version.  A recent bump in the OCI runtime
+  specs caused crun to fail with every config file.  Just drop the
+  check since it doesn't add any value.
+
+* crun-1.14.1
+
+- there was recently a security vulnerability (CVE-2024-21626) in runc
+  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
+  outside the container rootfs.  While crun is not affected directly,
+  harden chdir by validating that we are still inside the container
+  rootfs.
+- container: attempt to close all the files before execv(2).
+  if we leak any fd, it prevents execv to gain access to files outside
+  the container rootfs through /proc/self/fd/$fd.
+- fix a regression caused by 1.14 when installing the ebpf filter on a
+  kernel older than 5.11.
+- cgroup, systemd: fix segfault if the resources block is not specified.
+
+-------------------------------------------------------------------
+Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini <andrea.manzini@suse.com>
+
+- update to 1.14:
+  * build: drop dependency on libgcrypt. Use blake3 to compute the cache key.
+  * cpuset: don't clobber parent cgroup value when writing the cpuset value.
+  * linux: force umask(0). It ensures that the mknodat syscall is not affected by the umask of the calling process,
+    allowing file permissions to be set as specified in the OCI configuration.
+  * ebpf: do not require MEMLOCK for eBPF programs. This requirement was relaxed in Linux 5.11.
+
+- update to 1.13:
+  * src: use O_CLOEXEC for all open/openat calls
+  * cgroup v1: use "max" when pids limit < 0.
+  * improve error message when idmap mount fails because the underlying file system has no support for it.
+  * libcrun: fix compilation when building without libseccomp and libcap.
+  * fix relative idmapped mount when using the custom annotation.
+
+-------------------------------------------------------------------
+Fri Dec  1 13:41:35 UTC 2023 - Dan Čermák <dcermak@suse.com>
+
+- New upstream release 1.12:
+
+  * add new WebAssembly handler: spin.
+  * systemd: fallback to system bus if session bus is not available.
+  * configure the cpu rt and cpuset controllers before joining them to
+    avoid running temporarily the workload on the wrong cpus.
+  * preconfigure the cpuset with required resources instead of using the
+    parent's set.  This prevents needless churn in the kernel as it
+    tracks which CPUs have load balancing disabled.
+  * try attr/<lsm>/* before the attr/* files.  Writes to the attr/*
+    files may fail if apparmor is not the first "major" LSM in the list
+    of loaded LSMs (e.g. lsm=apparmor,bpf vs lsm=bpf,apparmor).
+
+- New upstream release 1.11.2:
+
+  * fix a regression caused by 1.11.1 where the process crashes if there
+    are no CPU limits configured on cgroup v1. (bsc#1217590)
+  * fix error code check for the ptsname_r function.
+
+-------------------------------------------------------------------
+Mon Nov  6 10:19:58 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.11.1:
+  * force a remount operation with bind mounts from the host to
+    correctly set all the mount flags.
+  * cgroup: honor cpu burst.
+  * systemd: set CPUQuota and CPUPeriod on the scope cgroup.
+  * linux: append tmpfs mode if missing for mounts.  This is the
+    same behavior of runc.
+  * cgroup: always use the user session for rootless.
+  * support for Intel Resource Director Technology (RDT).
+  * new mount option "copy-symlink".  When provided for a mount,
+    if the source is a symlink, then it is copied in the container
+    instead of attempting a mount.
+  * linux: open mounts before setgroups if in a userns.  This
+    solves a problem where a directory that was previously
+    accessible to the user, become inaccessible after setgroups
+    causing the bind mount to fail.
+
+-------------------------------------------------------------------
+Thu Oct 12 08:02:18 UTC 2023 - Dan Čermák <dcermak@suse.com>
+
+- New upstream release 1.9.2:
+
+  * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels
+    do that automatically, but new kernels remember the affinity that was set
+    before the cgroup move, so we need to reset it in order to honor the cpuset
+    configuration.
+
+- New upstream release 1.9.1:
+
+  * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6
+    that always refuses chmod on a symlink.
+  * build: fix build on CentOS 7
+  * linux: add new fallback when mount fails with EBUSY, so that there is not an
+    additional tmpfs mount if not needed.
+  * utils: improve error message when a directory cannot be created as a
+    component of the path is already existing as a non directory.
+
+- Only build with wasmedge on x86_64 & aarch64
+
+-------------------------------------------------------------------
+Wed Oct 11 11:29:21 UTC 2023 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
+
+- Add crun-wasm symlink for platform 'wasi/wasm'
+
+-------------------------------------------------------------------
+Wed Sep 13 06:04:30 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
+
+- Update to 1.9:
+  * linux: support arbitrary idmapped mounts.
+  * linux: add support for "ridmap" mount option to support recursive
+    idmapped mounts.
+  * crun delete: call systemd's reset-failed.
+  * linux: fix check for oom_score_adj.
+  * features: Support mountExtensions.
+  * linux: correctly handle unknown signal string when it doesn't start with
+    a digit.
+  * linux: do not attempt to join again already joined namespace.
+  * wasmer: use latest wasix API.
+
+-------------------------------------------------------------------
+Tue Sep  5 11:41:14 UTC 2023 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
+
+- Enable WasmEdge support to run Wasm compat containers.
+
+-------------------------------------------------------------------
+Mon Aug 14 12:55:14 UTC 2023 - Danish Prakash <danish.prakash@suse.com>
+
+- Update to 1.8.6:
+  * crun: new command "crun features".
+  * linux: fix handling of idmapped mounts when the container joins an
+    existing PID namespace.
+  * linux: support io_priority from the OCI specs.
+  * linux: handle correctly the case where the status file is not written
+    yet for a container.
+  * crun: fix segfault for "ps" when the container is not using cgroups.
+  * cgroup: allow setting swap to 0.
+
+-------------------------------------------------------------------
+Wed Jun 14 12:55:19 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
+
+- Update to 1.8.5:
+  * scheduler: use definition from the OCI configuration file
+    instead of the custom label that is now dropped and not
+    supported anymore.
+  * cgroup: fix creating cgroup under "domain threaded".
+  * cgroup, systemd: set the memory limit on the system scope.
+  * restore tty settings from the correct file descriptor.  It was
+    previously restoring the settings from the wrong file
+    descriptor causing the tty settings  to be changed on the
+    calling terminal.
+  * criu: check if the criu_join_ns_add function exists.
+    Fix a segfault with new versions of CRIU.
+  * linux: do not precreate devs with euid > 0.  Fix creating
+    devices when running the OCI runtime as non root user.
+  * linux: improve PID detection on systems that lack pidfd.
+    While there is still a window of time that the PID could be
+    recycled, now it is now reduced to a minimum.
+  * criu: fix memory leak.
+  * logging: improve error message when dlopen fails.
+
+- Changes from 1.8.4:
+  * drop custom annotation to set the time namespace and use
+    the OCI specs instead.
+  * cgroup: workaround cpu quota/period issue with v1.  Sometimes
+    setting CPU quota period fails when a new period is lower,
+    and a parent cgroup has CPU quota limit set.
+  * cgroup: fix set quota to -1 on cgroup v1.
+  * criu: drop loading unused functions.
+
+-------------------------------------------------------------------
+Tue Mar 28 10:27:06 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.8.3:
+  * update: initialize the rt limits only on cgroup v1.
+  * lua bindings for libcrun.
+  * wasmedge: add current directory to preopen paths.
+  * linux: inherit parent mount flags when making a path masked.
+  * libcrun: custom annotation to set the scheduler for the
+    container process.
+  * cgroup: fallback to blkio.bfq files if blkio is not available
+    on cgroup v1.
+  * cgroup: initialize rt limits when using systemd.
+  * tty: chown the tty to the exec user instead of the user
+    specified to create the container.
+  * cgroup: fallback to create cgroupfs as sibling of the current
+    cgroup if there is none specified and it cannot be created in
+    the root cgroup.
+- add keyring for GPG validation
+
+-------------------------------------------------------------------
+Tue Feb 28 20:14:52 UTC 2023 - Niels Abspoel <aboe76@gmail.com>
+
+- Update to 1.8.1
+  * linux: idmapped mounts expect the same configuration as
+    the user namespace mappings. Before they were expecting the inverted
+    mapping. It is a breaking change, but the behavior was aligned
+    to what runc will do as well.
+  * krun: always allow /dev/kvm in the cgroup configuration.
+  * handlers: disable exec for handlers that do not support it.
+  * selinux: allow setting fscontext using a custom annotation.
+  * cgroup: reset systemd unit if start fails.
+  * cgroup: rmdir the entire systemd scope. It fixes a leak on cgroupv1.
+  * cgroup: always delete the cgroup on errors.
+    On some errors it could have been leaked before.
+
+- changes from 1.8
+  * linux: precreate devices on the host.
+  * cgroup: support cpuset mounted with noprefix.
+  * linux: mount the source cgroup if cgroupns=host.
+  * libcrun: don't clone self from read-only mount.
+  * build: fix build without dlfcn.h.
+  * linux: set PR_SET_DUMPABLE.
+  * utils: fix applying AppArmor profile.
+  * linux: write setgroups=deny when mapping a single uid/gid.
+  * cgroup: fix enter cgroupv1 mount on RHEL 7.
+
+-------------------------------------------------------------------
+Wed Dec  7 09:24:19 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
+
+- Update to 1.7.2:
+  * criu: hardcode library name to libcriu.so.2.
+  * cgroup: always enable all controllers, even if the cgroup was
+    already joined. Regression caused by crun-1.7.
+
+- Changes from 1.7.1:
+  * criu: load libcriu dynamically.
+  * seccomp: initialize libgcrypt.
+  * handlers: fix rewriting the argv if the full cmdline doesn't
+    fit.
+  * utils: honor SELinux label when using a custom handler.
+  * utils: honor AppArmor label when using a custom handler.
+  * krun: copy the OCI configuration file into the container.
+  * utils: fix creating the default user namespace when running
+    with euid != 0.
+  * Add setlinebuf() when --debug and --log=file: are used.
+  * Fix timestamp format in the error messages.
+  *  krun: disable libkrun's collection of env vars.
+
+- Changes from 1.7:
+  * seccomp: use a cache for the generated BPF.
+  * add support for setting the domainname through the OCI spec.
+  * handlers: define wasm and krun.
+  * wasmtime: add support for compiling .wat format.
+  * cgroup: honor checkBeforeUpdate on cgroupv2.
+  * crun: chown std streams before joining the user namespace.
+  * crun: display rundir in --version output.
+  * container: with cgroupfs use clone3 to join directly the target
+    cgroup.
+  * linux: create parent directories for created devices with mode
+    0755.
+  * wasm: inherit environment variables in the WasmEdge handler.
+
+-------------------------------------------------------------------
+Fri Sep 30 12:31:47 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- Update the libkrun dependency to the new libkrun1 library and
+  devel package
+
+-------------------------------------------------------------------
+Thu Sep 29 10:44:19 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- Update to 1.6
+  * runc compatibility: -v now prints the version string.
+  * build: fix build with glibc 2.36.
+  * container: drop intermediate userns custom feature.
+  * cgroup: change the delegate cgroup semantic so that the cgroup
+    is created in the container payload after the cgroup namespace
+    is created.
+  * seccomp: use helper process to send file descriptor to the listener
+    socket. It enables to be notified on every syscall without hanging
+    the main process.
+  * linux: add a fallback to using kill(2) if pidfd_send_signal(2)
+    fails with ENOSYS.
+  * krun: add support for krun-sev.
+  * wasmtime: always grant file system capability for workdir inside
+    the container.
+  * wasmtime: inherit arguments list from the handler instead of the
+    current process.
+  * wasmedge: use released wasmedge library instead of libwasmedge_c.so.
+
+- Update to 1.5
+  * add mono based native .NET handler
+  * new Wasmtime backend for running WebAssembly
+  * add support for wasmedge 0.10 and dropping support for wasmedge 0.9.x
+  * dropping support for experimental WasmEdgeProcess from wasmedge handler
+  * honor process user's uid when setting the HOME environment variable
+  * create the current working directory if it is missing in the container
+  * fallback to using a tmpfs mount if umount of /sys and /proc fails
+  * fallback to netlink to setup lo device
+  * fix creating devices in the rootfs
+  * fallback to using io.weight if io.bfq.weight doesn't exist
+  * remove tun/tap from the default allow list
+  * linux: devices mounts have noexec and nosuid
+  * fix copyup of files from the container to the tmpfs
+  * honor $PATH for newgidmap and newguidmap
+  * krun: limit the number of vCPUs to 8
+  * cgroup: add support for cpu.idle
+
+-------------------------------------------------------------------
+Mon May  9 12:43:12 UTC 2022 - Frederic Crozat <fcrozat@suse.com>
+
+- Update to 1.4.5:
+  + CRIU: add support for different manage cgroups modes.
+  + linux: the hook processes inherit the crun process
+    environment if there is no environment block specified in the
+    OCI configuration.
+  ° exec: fix double free when using --apparmor and
+    --process-label.
+
+-------------------------------------------------------------------
+Tue Apr 12 08:59:23 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- It'd be nice to run the test suite with %check. It however, still
+  does not work properly inside OBS workers. Add it commented and
+  explain it
+
+-------------------------------------------------------------------
+Tue Apr 12 08:36:54 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- switch to latest upstream version (1.4.4)
+- big jump from 0.21! Here's a short summary, for details,
+  see: https://github.com/containers/crun/releases
+  * 1.4.4
+    wasm, kubernetes: support wasm for kubernetes infrastructure with side-cars
+    Resolve symlinks in bind mounts when creating a user namespace.
+    Fix CVE-2022-27650: exec does not set inheritable capabilities.
+  * 1.4.3
+    cgroup: avoid potential infinite loop when deleting a cgroup.
+    support additional options for idmap mounts.
+    open the source for a bind mount in the host.
+  * 1.4.2
+    CRIU: add pre-dump support.
+    Fix running with a read-only /dev.
+    Ignore EROFS when chowning standard stream files.
+    Add validation for sysctls before applying them.
+  * 1.4.1
+    Fix check for an invalid path.
+    Allow deleting a container while in created state.
+    cgroup: do not set cpu limits if number of shares is set to 0.
+  * 1.4
+    wasm: support for running on kubernetes with containerd.
+    linux: add support for recursive mount options.
+    add support for idmapped mounts through a new mount option "idmap".
+    linux: improve detection of /dev target.
+    now crun exec uses CLONE_INTO_CGROUP on supported kernels when using cgroup v2.
+    retry the openat2 syscall if it fails with EAGAIN.
+    cgroup: set the CPUWeight/CPUShares on the systemd scope cgroup.
+    on new kernels, use setns with pidfd.
+    attempt the chdir again with the specified user if it failed before changing credentials.
+  * 1.3
+    add support to natively build and run WebAssembly workload and WebAssembly containers.
+    allow to specify sub-cgroup for exec.
+    chown std streams if they are not a TTY.
+    attach the correct streams if the container is suspended and restored multiple times.
+    fix race condition when enabling controllers on cgroup v2.
+  * 1.2
+    exec: fix regression in 1.1 where containers are being wrongly reported as paused.
+    criu: add support for external ipc, uts and time namespaces.
+  * 1.1
+    cgroup: use cgroup.kill when available.
+    exec: refuse to exec in a paused container/cgroup.
+    container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
+    criu: Add support for external PID namespace.
+    criu: fix save of external descriptors.
+    utils: retry openat2 on EAGAIN.
+  * 1.0
+    cgroup: chown the current container cgroup to root in the container.
+    linux: treat pidfd_open failures EINVAL as ESRCH.
+    cgroup: add support for setting memory.use_hierarchy on cgroup v1.
+    Makefile.am: fix link error when using directly libcrun.
+    Fix symlink target mangling for tmpcopyup targets.
+- fix bsc#1197871, CVE-2022-27650 (as 1.4.4 contains the fixes itself)
+- update and fixup dependencies
+
+-------------------------------------------------------------------
+Tue Nov  2 08:58:05 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Add libprotobuf-c-devel as an explicit dependency, for fixing
+  the build;
+- Get rid of rpmlintrc, as it's no longer needed.
+
+-------------------------------------------------------------------
+Mon Aug 23 15:22:18 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- make libkrun support conditional, so we can have crun (without
+  libkrun, of course) on all arches, which may help with
+  bsc#1188914.
+
+-------------------------------------------------------------------
+Fri Aug  6 13:37:49 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
+
+- Drop libkrun-dlopen.patch and adapt to libkrun new package name,
+  it is a plugin, not a regular shared library.
+
+-------------------------------------------------------------------
+Fri Aug  6 09:55:53 UTC 2021 - Frederic Crozat <fcrozat@suse.com>
+
+- Add libkrun-dlopen.patch: use soname when dlopening libkrun.
+
+-------------------------------------------------------------------
+Wed Jul 28 11:56:01 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.21
+  - honor memory swappiness set to 0
+  - status: add fields for owner and created timestamp
+  - cgroup: lookup pids controller as well when the memory controller
+    is not available
+  - when compiled with krun, automatically use it if the current
+    executable file is called "krun".
+  - container: ignore error when resetting the SELinux label for the
+    keyring.
+  - container: call prestart hooks before rootfs is RO.
+  - cgroup: added support cleaning custom controllers on cgroupv1.
+  - spec: add support for --bundle.
+  - exec: add --no-new-privs.
+  - exec: add --process-label and --apparmor to change SELinux and
+    AppArmor labels.
+  - cgroup: kill procs in cgroup on EBUSY.
+  - cgroup: ignore devices errors when running in a user namespace.
+  - seccomp: drop SECCOMP_FILTER_FLAG_LOG by default.
+  - seccomp: report correct action in error message.
+  - apply SELinux label to keyring.
+  - add custom annotation run.oci.delegate-cgroup.
+  - close_range fallbacks to close on EPERM.
+  - report error if the cgroup path was set and the cgroup could not be
+    joined.
+  - on exec, honor additional_gids from the process spec, not the
+    container definition.
+  - spec: add cgroup ns if on cgroup v2.
+  - systemd: support array of strings for cgroup annotation.
+  - join all the cgroup v1 controllers.
+  - raise a warning when newuidmap/newgidmap fail.
+  - handle eBPF access(dev_name, F_OK) call correctly.
+  - fix some memory leaks on errors when libcrun is used by a long
+    running process.
+  - fix the SELinux label for masked directories.
+  - support default seccomp errno value.
+  - fail if no default seccomp action specified.
+  - support OCI seccomp notify listener.
+  - improve OOM error messages.
+  - ignore unknown capabilities and raise a warning.
+  - always remount bind mounts to drop not requested mount flags.
+
+-------------------------------------------------------------------
+Tue Mar 23 17:52:10 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Add a mention to crun-rpmlintrc in the spec file
+
+-------------------------------------------------------------------
+Fri Mar 19 02:18:44 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Since we're building with libkrun support, let's enable only the
+  arch-es for which we do have libkrun
+
+-------------------------------------------------------------------
+Sat Mar 13 01:12:19 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Suppress the (false positive) rpmlint warning
+
+-------------------------------------------------------------------
+Sat Mar 13 00:43:54 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Some fixes to the spec file (add some %doc, remove unused macros, etc)
+
+-------------------------------------------------------------------
+Thu Mar 11 08:08:36 UTC 2021 - Dario Faggioli <dfaggioli@suse.com>
+
+- Initial package for 0.18
+  Based on the package by Giuseppe Scrivano <gscrivan@redhat.com>
--- a/crun.keyring
+++ b/crun.keyring
@ -0,0 +1,326 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFJtp1EBEAC/8IKgtgDH/BWRWUkM7pDWWZJJgaE2wMhCKXbXMbtyJHBco/TG
+7Ow2bD35H0QAmhh6gGVYu9hwrzK3EiP9SmTMXjJmhm6b2iFlhV9bbU5pjb/q3pT6
+gaP22DMOXOlo7aCZiTCQ4UY2p86meJ1xM585wnvmfY9CZ3V4rloa5eKwVU3wUflL
+dv8im81fNGpWFRaV/rhWbEcL0zft4hmkwppCFGJe9XP4houjVIFArb31mBPFguJS
+O4zEdiJh+Oj9htbrxAXqiaJwW1MRRBMkMvJDYUSZnV90lWUUdxglO4/V7uOxdpXY
+tDdMcOlSY+mnU36yyrTN4o7UAzvXEXkc7YHQZGhY/XW4zXDhnH0G8c+cx6XnEml8
+zVrU8PrdKNo5nqxZ+ZdLz2kzAxXpVum7LABkzWIQ/+0ShhX7cS6/P12odabQpQGH
+QpZgTIP2BrpFJ+L2j+I69dKl7BtmZVy0ya3P8SG7ny819aNLSa9PDOWxKk3rxk/v
+4BI6vYWY1N4AQ8bXQHHzUQ/V9E2uuslSUabp7WDqVPcWxhekBIzfVsxqNsXEycYZ
+ZwA0VKacrbDR9iT9cP75xDXw9RHxsrETfGYEXEia8FPSR1bGYw9yLExdDPdSRUl/
+JEotHv4+Zt9gXC2MspitNs8LlL4iB+wrb+CvBBCEupufcDXnmcAGRupWCQARAQAB
+tClHaXVzZXBwZSBTY3JpdmFubyA8Z2l1c2VwcGVAc2NyaXZhbm8ub3JnPokCTgQT
+AQoAOBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJbBooJAhsDBQsJCAcDBRUKCQgL
+BRYCAwEAAh4BAheAAAoJECY9bfLhY+HqytsP/jEtg2xSQTDCOOUNLKbMMDTCNh1k
+ZinqotwSp93TpbrXtFL+2CF18HYdaLNpCtntM1OIwUiCm07/6wSp1buokgOgstI7
+CvrwTMZCOcvvfeM+jYJc5MPxwEpuU5pDLjPdqA0Pn08YBnxJhByps1j3Ee12ia2D
+ujakLFe0S0of/Ib3xsP/2Lj8H18dTHnC+kKET/QQWExw0mPYBBSk1k1zR0F7kAKF
+zDbiMQGr/IhA3XbK4h9O5bFaJx1PDWD+ywfVg8HFoVYGiwjNd7NzS0HxMERrukjB
+7EoZGa7+rZImobEaM3pqGU+YjoEwWl4L1jcFo2mQymoEwce6+stL9v7Fv01+fRAi
+QBsuD/jwIbxOn462Wb0C/Z3ZHOuIg4npujKp1JNzm4hU73PaYqXIeJoVz66nqIag
+3bdNlYlSjV+TsY2/4xZr1xnhIjKdBQ9BL6yDjwMpFM968OI1by6L+s8XzWqc6JGm
+jKhCfy59otWP69sXenFKmc5sQzubSrR2nwyMLpO8/bBiFm210kuji+pzt/JaOBun
+RUDE4pf0tPeEjDozJiwdBl3HoH7CYQKcBdqEeH+gmWugZlD3nm2A08Y3Sy2tTigK
+OzTdUjvHumOc96bAq9jm5+nnQRF8Jt3sDwzN5VGuPqWSXyAM68G3a3DZi/l/7cPK
+DWDr6Qo1Qy+5JYs6iQI3BBMBCgAhAhsDAh4BAheABQJYsGN+BQsJCAcDBRUKCQgL
+BRYCAwEAAAoJECY9bfLhY+HqYfAQAJL/c0c/tl8nMObWwu7wSTfGrj194LCova7B
+HCyOo4mxzMjueah3UxbkxmcfnshSExQXKQYDWhp+TB8wAnXfqQXyEoQhA7mrhiOh
+ZNdnrgQpl2YJeUO4RYhpb4BrK8pJoZbm/s2Fbp+0myEhQUItpAGcDWDdr0j/bDQM
+e6I0Ja3ZDEPGZkWU+hhdhxsrmJH4gS6QWqplqUPxGxjEDL7EjIdV8kTVvnaaVO+N
+gusS2gA/cO0e4tP0TBD0nEyGRP5TR1hxSSV7wcn0AoXMflkvJCjXWTuub/pO8eWI
+078/QzuFp5d7Q4chchbGx6W/0bPg0lfzcV8+3Ojo5qIg3//8ML9S0eSQCUO081VF
+a6aUQ5w/uJ81imx6VlvIh3b+AWjfgkSg8+kKOLDbueqMlabL3TP4JKwmjn+1B4id
+w+z0qFqThuP5N3IqjvIo2vOuFAtnQ3ZP5KDQiKH+N8hN++nZvRSxAyW2umz5XLgh
+Tg5o3FoZ/rD6oiw4nFvS94+egp755K/UeqyO6W5+Dpa9jVx59MnR49Y0ZAirpo78
+jlf4YpYrL60uvyCOzJ7vwmccWqlplGSdYq9NWBuFUwa4EQoHggOLfZnzwrgD2BBx
+pUM2GDWsgWYkXu1bCL3XCZXMg6zQYRaUerH0VqILwR/dvzGkRZcJhcxY9x3uJYRv
+XCNA4v8/iQI4BBMBAgAiBQJVTMz0AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
+gAAKCRAmPW3y4WPh6nwUD/9QItnfrr6mCuWaWmJ1nZe4VWaiYN5iWHgpTNHFRZPj
+8Umi2xdFulD/Jll4t0FbhlXDTNsyrwB//30Vu9Vx5oB3qBumqAenaFbMGGyDT5Wr
+PiNZSws57MEqUmBi3+yeHO1aaqaea3x2VPYxtNyeHSuSUXe8tqQMSto7XtAmsh6l
+MGYTRerONVdRogj15WxuY+LuZwAB5E8AF7fs81a+YsRp+50h51nEwUitdlEMhKnG
+25+FkEQQjemoL2KcB256lTLjc+q1P8V+LVJ3BOYdbdjTgUk78GsU99DseZz8G+B5
+08WFvHe82Jftg7U9K/wgMWZDqRzijRR7MIZ4h56gt7T6nnFp2NfyPySjr6PBvEE+
+NwS8yTihsTUGJSjosNvr8qGHAXRAu+0Rq5LOkQNyg7sTxE7myDzy2nNaRdVRB7To
+NLQl8+GMLweYb6mwQW639n1aZEqcbWbPs26nLa+P8TpzVrfn6b05DQ/fwLU7OHQ5
+icUkI3qf1EgpCc8qLM1U4gOoMDUUYkHZpVXnXCAtZTAkArFpmBoKa6iaGHKhzR5k
+FWBj1jtBR8gtjMuIFrQaWAaFY2dcd9vzuj0WTLe9o42W1JMuW8STwN3lHZiVcnR5
+yiDVB1e/dIYScP1ausud5Y0KTgO315pPVM5BC/57sW+hFfUyVgyKNET3uJb1KnFM
+NIhGBBARCgAGBQJbI7G8AAoJEAeRr4zAM2P0a4EAn0+ymbTVe59JXo6uqI+b3kNE
+aylTAJ4xInYi2DWqH5JG6WjWxMy5ZhskurQnR2l1c2VwcGUgU2NyaXZhbm8gPGdz
+Y3JpdmFuQHJlZGhhdC5jb20+iQI4BBMBAgAiBQJSbagDAhsDBgsJCAcDAgYVCAIJ
+CgsEFgIDAQIeAQIXgAAKCRAmPW3y4WPh6sIWD/9JqIUpSlvj2T1dCQxQKtctGvUU
+FSa5sFZbrl3o+6Xqt7/7LfCSAJQJE2uJ2D9i8/bOK3eonZU4qf0267D2vF/ouWYK
+MCETY4DPD2cvrH2kuDyomG8igEQdnMgiW5piN4HZ5K+GZwH1ttcNlEe4v1BxUFYl
+kU5sOxWMfu2PCUSf95aJveD0k8LhEYZKlDPapNiDz1ifzIM4kPWE/RYT25PJYiBX
+nZ6f3yHy6P6nTsqZPkJl/3BF7+Q7j4W8EX3Cc/IAwPHj1uIcbB99vWK2+0puUJ05
+RJiQxlzKKFgzrUDKISFes7zfMeJtbVOtYykfFZ1hwpCAwKjDZwqBlPLnapQoUw0M
+dzcKs7Ho+LvYXdzPVsRZqomf0OlUPesMsKWRkfW/Btu9OPXei64uxMcOQ6gYf60N
+lq/P8dKoXH3U7vqzNWg5NQlfWUKfqBeBot0O9oC3ddJjfTwXq+bRZefOCF976ddj
+OhmfW7zqnI1mxsg53VoefwQFYOvl9hj0Km0Y1R8gxKj77jlV3I5NIzw94gsftnXq
+XX+hIzVvAL79FRTw5+qvCHFeo+QitpnwSdt+1gmq47tQctPlrwV319gkxKJj5te4
+jbPcsgjSch+LSyL2CYUB3RTpAcVGwIyMpyPGgD3SrCAATGx50KjHg1/mQvqO/2Y0
+YOK+QDRMlQyT979tx4hGBBARAgAGBQJSbaggAAoJEAeRr4zAM2P0GKIAoIIBIy/4
+aC7dIFIUQkI1U+sZUgelAKCLmq/XMapi9Ln+P+D+Wz9NOt8oqokCHAQQAQIABgUC
+Un5LzAAKCRA++QUjswSvCNoED/43qUdK379l4k8yYbMYNfDqKlUbI8XqTSiqcgU8
+Vy1Nn9TikS9Ov/oXAfNPrfX0DRj7lXobHqVcwWO+Sns3yKCjyc5gFnsiqGf/rt0C
+ujQmxyxh3lipqOkB5+jrHq7kzoSeGUZz/WisiMRSZk5ZcSLFuBm7bIcyfE7v4WGM
+3tkss6/kMuy1/fbBHT6sfTSY4r3afVFh4iCcd38ujzLgUs77wKnw8UpdWxdHWqXT
+ZXqHyHyaXquAyqcueDwMdhpp3i9M/mlbLEv7WpCGMCigLG176wFmD/lQMpVhyAFI
+zuMzB9A/lwBIk6u8HyDV8IO3QGgQwPQeW0P5AnCn8IkQoKrrq8SFY5qyXL2ey4MA
+wsX6h3z9HeWVHEE4Dl3O66+uhTsq3JR5QmuMD2LryCiXIfX3IyOqz2YzZ8dnnquO
+uZ1j2yP85aDFyuJg++NXtoBgekebFa5tigaDgrt7HvptqTCxnHMbnn3u+3gHsy6A
+I0v1yVLMr0Dm6bVu60LEF8OVPi+JirBZW9lXRqBKfR7zaeXs6wXJAGWsT62O1sJX
+CMCsJnzAj9zmaaYIzqb26NfmVfMdUDXRjCG8GmqnJcH0Vy31qykff7p7uTBQeXAF
+VS1Oc4Z4GeF/rsl0I4j2gfJSgBEz+td82iXqIMtCVOU180yxaFNxm/3LwPT9Q+4Y
+ORK1GokCNwQTAQoAIQIbAwIeAQIXgAUCWLBjggULCQgHAwUVCgkICwUWAgMBAAAK
+CRAmPW3y4WPh6ipaEAC91CVFv1OMQ57Urb9JAYzUI5DCD/2Hu9AQWDg/k6R9v2mC
+7ldgHypTvZS501KEDVkAnlt431WNq0PuX57hPVgvxmudS/NDCfK2yceskj6f4o4Y
+kfeMeLsWazS+GXUq462JhN2IzaYmMD/RoT57XgU8Ezv/W1txXOZjLkIdlw5dw5+D
+G7u0U7U+xSd7gZV8ifBX6TY77qBD7uYqAcXQgHWJza3iKHmNxN5jVmBr4ZOg62kj
+z1K3PSDpBOe77Tc/XBuYuHDmzGBwP8DKseG46dgKZHnxMlKZYekKU2d5HxPWohp/
+UlaE+VeAJyEAw9lFkscYCDer/MAsnVEdfK1PYpl5VnwN067d+Q63revhpU205lhF
+HyQqG5ImJYfweeapxbT9y6O+3VkApeQEAGE8AHC//eYr4mEi3P4wmng9bJyprIA9
+6tVj6UzcxT6QN9DMe4DDsL4pfY07FPgWNaaVbmTM58GJCo9MRAJH/Wk9EhJhIT8C
+dUfHioAYpBiD0syinNjoJPh3f831FsR1E98koYS7Xvgtw4YDyoXiMu13eAkSdrQ+
+u5yKxPRZpbe1nC/y/Euy7WCVSvbdTGCPkABqFClN/oJGSe4TosZ5Kp6l0XLR8gtU
+ZAWNZumBh7jSm9z2MFnpgyfp/VuNPyI5OgK0VygA7r7fSGzKLE6Sr0NQLd3+OrQl
+R2l1c2VwcGUgU2NyaXZhbm8gPGdzY3JpdmFub0BnbnUub3JnPokCOAQTAQIAIgUC
+Um2nUQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQJj1t8uFj4erJZw//
+V6wWXBl5p534yNjWaBDnEna+CEXtO/p3ZtFrbJlcXpeqxFIsw0vWrlj6jE+jplqG
+28wwSZ8mhxJYhNmYA/hOuV4zVeXb24MlxGeDUS58DuI5y3g56SlRapVhlPPOCLHF
+dTSDY3Q0gNsGg7iqW92evjDgcUxUQxGclrw7XqzeKXrJpcyS3sPyMQ1XoLYcm6F3
+4/k6zCgxsM2ouPvSVTfb6hQVE3zNujg5MRI4JJ5Pel2iBNsEfMl2YjLucpuoryDs
+RPnTXgwpU68xR/z1Uu0jROWaWVhitZwBvAVlKjamNidCT4YdSlpitI+VpLTEomUA
+037V/25z9Ig0Z6bxPcOGGf5ADDf7qiAJWFN8Mb9CxsR7xywjF0Ew93q3Le4qivYz
+GbVbqlFBn+ldOeVl+dnocFPD17QMuHuQV1SDh0Oe9nINg2eTXOTvci94VwqVZc6+
+9lqxuGiqTeDGc4A9AmlS4d/7V0moDYy40EYz7X2HRPEp/UHskraSL7lBVgQQz1jh
+tIKmyQ2lQNgbXpjEsporoUexUgFIjIuS+RaM2qH360uxigzgNC2PxHLnu9930y2j
+kahjGY5XXSYTTejaidA8kdWr/1tnEDaxCSMiWP3nad0UzUJJKZfkg+P1aSPPciH4
+83WHMRHAadjC7Fpja/QnCVwZo6WFhTXfGVL5sKapu4yIRgQQEQIABgUCUm2oIAAK
+CRAHka+MwDNj9Kl0AKDSFIqUMRoYWYBf7p4bSxucm0mBkQCfZ9yFdtDHqAOa2FoP
+P7dOsQvB9HyJAhwEEAECAAYFAlJ+S8wACgkQPvkFI7MErwhXwA/+KlaXvss0cmsP
+Dy4n+SoOpnZDJnBGUGgl/s5Tvng243bN76kTGVrObEzcnSR+zqqgFxTKmJa1ryR4
+cnpWm9RiKPrbt461henZMRgNv3DOvBfWUWJTgGZ2apukKJnrv+4XKQCVgo+t0AG/
+xJ4H/mZmxs687qdgKebxLJAFLHEmwrat5vmdyVnBKprH5dMtUApn/QoXwZ4dU7+V
+JjDD8pOLK8EZb3cbGgIiewsJvVtXAjPEdFTaNaaH6xHUT8HaLw5z5yuQ2kmnpWjg
+60AG/jZTaswtl/EOl8Xm4LhDdkUT5L4SOWdGyzmXogVOakbm+4ZOrHGctbeowl5p
+d+Cssh7RTYV/i2ErsE83jNBDXqjejYbQLLRpxg+t5UdA/zMIl7nV6/G7IRQ5PQrD
+Hi/dNYe0SCK1fyGj2QhgBfqbs//64uRbhQDKJ29yDEnCHpAR6odByf9cHfQrhwKf
+FSWWukw0ik/Hda7NqcrWg2HtJ+Y5zUPX/0TPJ/J16zWzTbGFwMFPegY7OY4EmOiH
+5Qi1i8Byd8H+Re09sbhL1lIzBeENzcQeBy8btdhUgTUMAIZa9Hav82m4Mytda4tY
+kbbMaj0NnmUyHM8k1KtfA+wUuua6c4hkP7qvxJFGQaFKckWfDnj81piq/6SjLRxx
+xV7aNmXPfNut34uFNnNL6YeElveYRv+JAjcEEwEKACECGwMCHgECF4AFAliwY4IF
+CwkIBwMFFQoJCAsFFgIDAQAACgkQJj1t8uFj4erlbQ/9GrZNQGnE6+PKBr3QPkbS
+T4CWBlSndb4nY6Xrfa3dD5kjTfNtHCa3IX8Gr0njCwBSIAlvczoFCNoTF3N2AzYM
+49PlQOJyEe6yFNPN47c2MDFTMGs3tldF5F6+rW6XKxKxMSpmUZSvofO10CU3iFN6
+0CdWJtBDx0zII7e3yz/CBdS2xXwtnbDC3olo9MGmS5EQJKyk4SDf0h3fza0cxNQY
+NwqPmdFrFXq2PLJOdMk6+QvXGZgZRwdI+haXhHJyskKZ+XytxkX+RuFRyRFwhE9Y
+EbhSSzipR6r5jE7juQmLRi7l8ERzfvTJ07OQSgZ4qDJ+JC0ifUVREUo08beigHhT
+4vcBaJ4yXzfvh2pOz7H5LeKj4HGjfreY/UVi+jltYVJDayJQFaDkBv5SNZghzKoD
+smx2eKDT430ugJNrT4Fr/AU7/96MG/IeyzkSFsnKN1Og9zfQ1RTw6Nfbe9A7bRsz
+skBW9v1gSlc4+S/GZvwOszO9TfmAHGB7Kylq6SK6h7+s9NPp1oI5dNcngJ5I0/2C
+DNO9ypmfjuVC1VR3EHVSdiSaw4b2W/VIRXbdqFKe8DSlXgLfjzXP27aIG+P21WOY
+I1xoY89OJgmvv9NI8YioBUZiI1Y1tgF5ZgI1Z+sIHK9a4kM+G2idPq843rm4pJZs
+PI2NsZ/hC9N+zsIsRpdx7h20J0dpdXNlcHBlIFNjcml2YW5vIDxnc2NyaXZhbm9A
+Z21haWwuY29tPokCOAQTAQIAIgUCUm2n7wIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC
+HgECF4AACgkQJj1t8uFj4eqfTg//cp0yoHHdRrL+VTkllaXzwYrc9uy3IE967knd
+ikxMSwyB4tOEYIZVehOoPChDPzafaFGKl6V78wy7yKaW39GiKWOfecUtv8Yrq2uc
+OKR97pddFHbknuHhQfUbS41rrSaLMuzrz2KvKvsTE6pEVBQ4ZmT+oVOAaUvrom4F
+54Uj8X7DF4mGDuaQ/tpRNTVWaUJ2VFmU/CHcKaIV9KsIn2m9Hgd9xQ/5oC8NFksA
+oiNRq76k1EeerdFU2iQILpAKIEw4BN7Wm9cjuhXKX0jMpHrEleTpaaCIUfklq5+
+V5A10Vkzca6Fr0QJHczTEE6riETLtpv3uvCCPy6jTTuKJC9wDlDvwdscjtmmd1h2
+Y0g007JYEgaXFMPuINppcA9lw/ExiHns4xgM/625pRxqxzv/Zmtsi/W831Ynu0fd
+t+FTzCLGmlB5vAyACVfNKsmG8Mozb5WcasO0NakitANIWDpsRdfcxyxLEQRNd3Va
+NwaHmvJykdJZMCoarsU7KAoXJEAI+STPGxVmU+Gz57ScyfiTOrb5VmwSkxAZ2CTM
+0oMgUA2TdZ30Qm5g7AbICirMe/AYogZqyjVbJKN6S82oSqZUPwBqyz+cWnyhZ7Q1
+DAQaqRrDIJs3/WdyVAV7fB2SQO912pxeDpDGRI3WSaAhMjmAiY5A23w7cBDVZ9pZ
+ch98GGWIRgQQEQIABgUCUm2oIAAKCRAHka+MwDNj9HoHAJ9JxfuGI5C7EM8ly92u
+RveGsX8JxACfcPjWUz9oPHnhT8J6029EpDWt762JAhwEEAECAAYFAlJ+S8wACgkQ
+PvkFI7MErwjOGBAAl77pkDb1tHO6NILaTgKk8JLbQDKT1yRNpp8vHa7E4SMEVHWw
+u3+lRH0ffU7apDBcFtFwCtVMatoSQ0/aGvQ6YaxGEUvah8fpoFLeNtWDt3vMwkZZ
+IEb4JSUx/y44+9oZ5rHFDmtfNj+T2D6tJ3Qg2BwX6vjIMUyzdZJ40WGCJqA3zhAQ
+M8ks4/h3WVdvhQRZ/pWBP2xQaEPeaj6lRDVhvbAiJ+bi0GfQvdOxqc00S9QLffJH
+aSBsybXj8WMMCujg+SOd3OPwH4Ci8yNeyOynAMlTubpZ/cB8eBz/NJKkJGrabCF1
+3STGQMAllDwVE4JmWo28qmxjrcUAm9QJ7PIDmqO8s3eZ5GCiykkpK6l26ITsFdKo
+uj9SMvpR9yV/CJjcdd4UQtM8dIfhONipJAKvfqb8U3uFh3yr9vayUqik39YV6xys
+DsqqsbfJFRubeTIDWciyom8zHQCtTnMqkH3jxNrgUebiC/SVCz3kWZWQ6i3Aw/xi
+3QkXLi5P3kMoJWGnwnrrWSie2P4wQQ6ym8MwheD8PVbNsyxRpwMfGPV7sf+cN8ua
+D/9+so48Aau2qW1wGM91BXZ0Tfnviag1LUjmv0uMDYM+hfHxy2eH032sZ1NJO+01
+sxEkTmCpU/z7ihB7KkEdi1UIEll6SgeqF3tEjg8SDWAtsRs8ofaFzyyAMmGJAjcE
+EwEKACECGwMCHgECF4AFAliwY4IFCwkIBwMFFQoJCAsFFgIDAQAACgkQJj1t8uFj
+4eqjww/+MGBEwC7hVSzMJo2ZEHkmzzdp4sfmpL0UIIm/3oNtjSN0sauddvRyVe1C
+uS2tTV/5QCU5zbMe/Bfpe5Fb8TDWbl7TOYFKmIoIx0iVMdWx67/BOzmBdQS0Uoyb
+PjHMeNxg2CGO/XUoDvQXjk0F5fx3Ly7o0NDlnYvFVDRTIfZfE9SSkTfCgxz2/oXv
+KFAVYxKJsIw7WJiQ2YNxm39PIALzJ4ao+B5zi/GS8FREoBpXcupnp+nMQJWTT2VV
+COG/wbA2wVPJDVV5ElQucDHElV7F23Ti5A7jRwiX1yTGNj6MNbTVPQhjqj15y1Re
+U+upH/EjzgMgTAuh+mnv+86QH+rYPhE5opg/3sb2HK6hfW+SYQW8J57Ul2BiCnOc
+CuA0Xu+JUj6gpngamQwkfl2KZ/SrK9/qusbNleyuRJokLV1yMDzK9y3XW5jxmkPr
+ZmnzeeS69QOINblThnHnTvv98hwl8VTIJ3cS5mrLdRxryny1ae2oOtLv9yfVbjCG
+SG+bIO4y0MtyQQqlbJU/lK/IUujVDu1jNguhnsRKtZnD6q8RYN1jOUJUEQF2yexP
+d+nhikrAvmpHDWkt3rKwL54WF1VlhreYxas7AA0unrJZh0thc6+7IrgFWCkualDu
+LCb88fxEa2fiPunrkKHZKvpMJuYEPS2KxgwdoTCSyLlFjDeoj465Ag0EUm2nUQEQ
+AMn93/Bol72GW+LhEF8amKB7mnUArAcI556nmhOqAqYE682WBX+Do8qGJXiwf9UR
+aeyXmOD17YsB+OkxQFivfJ9G0y7+u4MBq9W8qNRDAe6iBe1Wt5eIv+bYc3IOrx53
+naH9FnY7xDes96JqExJncWDAxZOtuoNHBUz2Avh0LxqPtiVRI0g3jRWa/SynwFdL
+1NOjFh2oHUUNeunoNARZK90oZDrhUU+XDtP7V6He98L+ZODrZ675CEC9O3U4Uzuw
+QsYRHWMb0ZNvJOENDJ84D6xyAafZfi1FKv04KalleHfCon9SJmIrb1oGY9T6bagK
+1fOydSK6kvQ4741rpVvdFSmWFKR4x9xiQdDv00cn2nHcyV5nB23uiMVsPvNdmgKP
+wU+bs+b+gWgXXtc6otJB6oaMRDPzvLY20q3n/MztICAbTzG64f7pPOFyv8gOZyPU
+KHXIRUTBVSwRj21DACtKBBsjvgIPK3QTHrqiaBq9xsNSi2xdpP9lpwGgh1E2xO9I
+7dfa4uIzGzgMLFtMOwZao1PKrypRrXpFdSRoDOzKFbXWzL1iQ5jJPJq3h63TD+ju
+KZrSwBiOif3z2baA9GedwSkJaRQ/wLq6PDdp7vsq06A4gv52VkRJTmqkZo100HD2
+GGQur6yDUsnDewJW+M5GgS59UShWVCOo6we7IpGpsAAnABEBAAGJAh8EGAECAAkF
+AlJtp1ECGwwACgkQJj1t8uFj4eoB7A//S1M22r2JQcuUsRGR6mmb05c6RwpdmfmL
+U1w+lJNGtRX5TsLkGdXgA9FPuR6z2YeJKCdG6FMpmH8U8EXet0+//8Y3OBpzUh4y
+WZk89UKDrxHVA6tomH8g55OtNUfjzODTEL9Te+GJsqbwV9Vjp928j/vqA+gLtdID
+wOmRLfnb0vJglgDLT2Dc4QtAqBngvu3aFC6YXLrvmmySfCpzmwMZFgoVzFsCGAVI
+WLfYHhoux8q8+1bYO9+cGRdgzT7mwojuSOYrJ0luoo95hDaelfDPUHD7HmpqCvwU
+8ZpYBx3nHxXfJyF1ZWuF/JTSm4DXgYavG0RD4FaSjhKDCUN8P/6iN3j/onG2bTs/
+Dg2/yFw09GXXJiH1B7U5P7Zf7Ig+0tn7XwIbUBOcsGKvGwCMtiGf6BI0AsMK6eaa
+rOYmtAphugO22A6X0Dba1v/Tx9drdEJsSDviiE+Lu4WdwDxN1Ar7LyfQ+TzsnGNs
+dMyy9zFAFa3Y2Wqa6kOcVA0sK/13EBFQHWXOes3Z1d+mtMsgOMTwJgFicNqHSAyY
+8heEgC5up/Ojo/5t8Ix3JHb3x+C5JmMuBdwMU5xWs2rHkRj+l+eoHW6xlBNaCvoI
+obgXkfO+CeB9T7NgTGLQ8Yf4pHquAPKHlBE+nH14PbxfkA6PyhuU1psOGBDu7x8y
+/J05OuGS7X65AQ0EWwaY+AEIAK+RSbW/yR8qK5GvRqLWAKU9Si30ZaA1PWJgA0dE
+hFsQh5Ba7kOoB8s/Q/crSlJGyU33fU1UqCLZ6EZ55Uprh+viXi3f0t7K1fEJLIue
+KZ7DdJD1vANHHkAp/vI/Xf+/oEfhjvh9QbroItMuiq/TT/Uyqj/4u+JZsa2tLRDy
+8MhSWJ2VWqM9IXDA6HUw7xXuli+0wYTkOmS6G0lMZuJwNQSUAXt7cZ2ATcd4saDa
+jjWJ0o+/L42yhPHgUiBXVID5wlX3NL8jigqjYOzxY1UxVezCmXzo1hzZEkvrFOvk
+QHZdyGdcGQ6x/X+lU7xb+iLq3YK8vZPBJXeoba+0RNJjQ6MAEQEAAYkCNgQYAQoA
+IBYhBKxATBwL9zXGP/TVYiY9bfLhY+HqBQJbBpj4AhsgAAoJECY9bfLhY+Hq1fQP
+/2JB9FSCIQ9Td21K98P9/3cXwAkbiyjPkUSYfarRqb4VXrpiMbTzJZeSxvywm1By
+qGw/j9NUgZAroEQtIiC9QLVJJa/kqF+qXAeSQVX8NzDY5gONcwvkm9s3vt9izCxS
+zfqe15YCKjZLWDdquAlDMe06DJdS1KY55/yGwwaOPmz2TkiApszQEf24+E+QII6s
+YV/+oiyR3bTs5JxjdRnCUp23Jyh493Zm9ANDqreDSywNv7q9+0PMmUnmUWDdNNqr
+boAawsR6fVCFp57Eyha9zEV6e/P8WMWVRkdhvd/QeUGJLnoZL4mqsQiRgJyjlaB+
+1zY4giowwl9w4vjK9QDmX2s8HvoR6i30dy5Zy7Tk7tLerlDG4opjEGh4oZl3C1qN
+sVFBu1obkRzKk6UtAYW7+bKfFuKgKL54tXhuyClR+gMMInN+88mh/DVDGhfBKa/v
+lwegNUFXb/uBKMO37R4PM+ao+6aupRA2i22K9X1DmMyQpk9VDDub9B5jBlIQ8HRE
+4wR8W6/xAAEE9MTv4UNFEDEB4Y9uqe7XnCcNBTLEu3IjNaYckk7X/qsia5ztVVpI
+sXnObSpbh8KOzzHqM1bPHLEp1RYSTPy1q1VMwhyRTz0bRdWOFsXU7A7F+yVAT/Wb
+MorKJj63H3JJ+v35nXZSzixkx1x1eNdW3bUT0ZSZ5TUcuQENBFsGtRcBCADEld1p
+2+NbQkSF+WzzzmQjbIWUEQy8N0wEl0t1aRdaWV8gIdtC3q9Eg4Bpd7wUczNsCYWk
+iGBi7EEfn93vcXhvqX3YQY/xTc/88PoTtIDgiU+j1LsPmi4u0oIHg/hOCuFyLoWC
+kJPxm7TiqXAqWiEwgp+1TPh54EXUQWBQO5W4JjLxpLvkXpWQGKJF21s9GulRUP3E
+30FFa/twLFuHbJrG8+/7Zynu4t/z+KjHvEfpIQX/6z+NlSkNigubD9jbTvMuY2zb
+ZDN1OdQHs7ZyI9A8AdxqXHCBRpZECo77X3mYQUbmYQfB/aX60TMYQt3UBivggU15
+u6mdrGo1bedCLvDhABEBAAGJA2wEGAEKACAWIQSsQEwcC/c1xj/01WImPW3y4WPh
+6gUCWwa1FwIbLgFACRAmPW3y4WPh6sB0IAQZAQoAHRYhBAJ/O9WFlMoYG7XsUORz
+D5f2AobtBQJbBrUXAAoJEORzD5f2AobthwEH/1fxABg0deOflZE8SS9VTR0BiM6I
+IOnzbXlJ/yHOoAihE93PppLsmzheWH0N31TW/OHJ70nmdhVgNM1IAjZAO6NjeCaA
+aJ3FvX9/FcYUetLeVO5r09JQ3KWhyLxSp3HGzBMvZ5UITPz5NylUBh1s1PQoZKuB
+8sfhdFs9t9HBWK1E0V0uMzL6uTNmDeMxK1XO2R0i3s4WalF4PeSMqvrL5wgrEAw7
+hFi3QZT9VtfGcm7D68qCu5KvkttEjzjH1F0JUd15kgtd/D2zN1ekzrEoARwuaPnT
+OmfidCNUIvbHKo0cvLw/kCsWkdCidptCEnPAA5j8QwZmPkdlUGdWoo+t1k34GQ/+
+MMZ2uxoul8w/pTFhYhLFrJQId49sgtuZ4H5EysBfYMcLWAMecYzp/3Oj6LTRFisB
+nWVdcuV4v39UN8ra8ZKSGJ5fz86pEEljjggWO9oCrkt4djhSMrCXOuEKHyarnf+E
+sLfHHYssz40TnWGfwTuBOomAkJRd2xZFsDiaweoTqdWhUnb/9rFNFUuR9s2ij2u1
+TpVnSK4pu9Tl8gGjWyHuLi4GYPOdu50abBuVvxtDokOT3P+st5YCHI0fr56Mykhs
+TUsBBJnbYXJOJZkLHWg3umyDZ18/wE+kiSrW+qly8UiDFMA4DBR+K+V9/VdeDYjK
+B9GmAJqmPf0+knLF2TwPMufZwx/VXwUmphBjGn2sqBVP46YoC/dxH7GFYusLSYof
+QhMK6K/9vsjqhACMyMsWr6VzxYgu5bhs1G74JXlJkaX3wezGScakX/shP2KbmvB3
+cbfUYeqo1Kiv9N0iiWZNaGXcJ/7wXUTLWPAhJ48a5YTLnG8aqJSGI7dCDbMUcPTR
+uDSFi4ZQER46HgqoXqhaql4fSWFxCSbM3YA9hs+74oeNHb0QHEPAxfls58gAHRzh
+ZSVcbyGpyv09L41RXpYGX4gCbmLkugg/y6m5WtOuuJxV6UmeQLTPD721jlBPpALO
+TicKph3axybnW2w/zw0hEH9NOJIFePftgE42SLolicG5AQ0EWwaZzwEIALMNijLI
+/Bjxtt3dAOC/FrGpfRelGzd5nmnbboBAqGgWkrBukpaqG/mLh4LMtfWwq9L45+Td
+hFp4AEFrtH2DvHpH8LIV3EGRq5mV5Kl3PMIpnUAyh4bCVkePxcP1ucM595xUVrmB
+RVbJYUY09ezglFe9pfSiTHBnb4rlA4B7a/GlYQsp91JZdjABWgkw19+v1tD5o9ul
+1vHRQYJ+WhjCZXX0WKuLPU8DO8lgQBWyW+vV8JB7FQFSSamkqVfOYbSBqwzL0rtj
+FfmsjoMruNSiGPn83sre/UhQ+pcqukA+YYQA6BLj2lCxwyYfxkF6eoUWjqtJy63W
+khYS+NxfYaZYc1UAEQEAAYkCNgQoAQoAIBYhBKxATBwL9zXGP/TVYiY9bfLhY+Hq
+BQJbjuoJAh0BAAoJECY9bfLhY+HqUOUQAKZjKBOzvqtI7CwdnZgsfduW6rWwgQty
+c1l+bRmRiPmZMqS5Tjr8h85B7aQMvms3saZGmsgHv2abIVp2BOZ+Rv727n+jR1TB
+tSxnAFGv8QvqBy4Zjia/CM8LrE1fQJUK8yFrjFHh75ZsLvWEdNlfO9a7JEw2OvTD
+d2FbroVjmRG2XeqGqxaGabDeW+d400cmLjrBNjv2hg0gR33x1qiznYdtXjC3baFv
+Hr8PQaSspqhzntmtZjiOvlHU4CI7IYWC4lnouLAPurlNYQrTqLFuGxT+fELIIhlF
+xuBF7vV/L29SxxkvQjPs5czErEOVoqYR9DTN2aQcCl/3rXQNzBNBzBPdy9Swsn2w
+Lt3eZFvyhSqQcmLbl5/EQedgEejP1fG5fmUhNOjpvFYKhsHDn97/5oMYy4EZ9oE6
+TCP8XQOt6PowHdq6nEdKP3puCuofv7jZxIgY+p3mIuL9Q4viG7cqVAM4qXbKAE0R
+w337jYb2vQHxNpQcGJAKV4dAFhWG7MTFV6LuGXHew9vm/H+75qtMn1kKhVmOxS5s
+lh7iPduRnBcxEROqdD8xhKWwyoferOkRZ0tsWtF1uPsvy/0y2nakGOVuIoIGI9Xu
+BbLWHf5uhI6PRY1nmRI5ASbufZEgg+xCkLpxz/Qe23alO8+Ul4M85DpsSZnMdDmf
+bi8TDXX02E2AiQNsBBgBCgAgFiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAlsGmc8C
+Gy4BQAkQJj1t8uFj4erAdCAEGQEKAB0WIQTz0Ti6kOYcPK7nAba3JfP9vazURgUC
+WwaZzwAKCRC3JfP9vazURvneCACeIFcjkWw7YCSV2W7llvoCQr+v4m4S3gRNe/hk
+OnbwKwUuCQRoa8RcVQp3tgPQBDePaOUxZSR9Fwr24mXob0DqEAn2GYtgWbsrNG2C
+qlLxXQGwZvdFlde+7N6aLwBz+EPGF4iAEmLq1lu2mFvtZd94ygRVsHxXEnFMcAao
+QKCaUjQKmpEpm6n+9hTTnJb5OumT6kLvtDgc47TafVfz1R3meqS3iDGKW/cOZolx
+j23di3aIqy6gnsKYY0LaH9jXqlD/P2vSi4TYe/PrtMCgqQ4lLbYgT+49aLanll7Y
+pk99zX6aOHD7ywBvEkcehlNX4+e9I+dfy/X1o+nXuMzYNPM+0pEQAIB3uSLSJk8F
+88uCb2xA/HJnsukBf+IkcqzCA09iiQqR6HE/MZ7suTahldEfauXx+cQGdTzEqQEm
+ZHa0yXTzNdeutEO0DpmgaLKR6q5LYNWBHGGMc979eKV7IsxdGpjvQNkVIqSCEjxL
+BF4p2D202rvdzZn0YCKJzgleF2AuL4LrHfp8jq+5D5bxfhnEU5XJgseRPU+dC3Lq
+zTeqxUUejP2P3UX4ELIN082EInREDPddBdI/CxFIgZZ8LYHf6MFG3UqCf72j5Y6U
+dZIwxM7DTfWOF3PJLcDU69Q9P/C07pzGz+vtQJO4b/gfEYaGLhV44IUx/Rsf6IYG
+HzdzKQoBedScecifBRTZxFG9mMiehdNxoZ2a3nOnRbDMEeanIuZAt97LjexVgGgm
+8tJvNixv3gXpxs7dzrRh01td/HfSnNUlsCfjLOrsjgqt5Po7zI6cttlcifa1kvnX
+eX4unjNuqjvRfG1T+PglUj9w0SkhPwjokrD43jMJdVbjhZ/kZEedI2zeCt/3nHPI
+G8hczEFeR4qElvMY5LWT5v2XfEQAsi3WtQuYYuFkF3xH3Hv/PqDiI+DQZL7pHzRS
+13lEeXXPf+AwO3Cx5JkX1EdFF+/1mxA4YI0MC37nI0vbYgTzs1c4LOBfQIgFIAqG
+oALbAtcVJ/gnIMcKdtMqaNMkbBmYdGeviQNyBBgBCgAmFiEErEBMHAv3NcY/9NVi
+Jj1t8uFj4eoCGy4FAluO6bYFCQCJoUkBQMB0IAQZAQoAHRYhBPPROLqQ5hw8rucB
+trcl8/29rNRGBQJbBpnPAAoJELcl8/29rNRG+d4IAJ4gVyORbDtgJJXZbuWW+gJC
+v6/ibhLeBE17+GQ6dvArBS4JBGhrxFxVCne2A9AEN49o5TFlJH0XCvbiZehvQOoQ
+CfYZi2BZuys0bYKqUvFdAbBm90WV177s3povAHP4Q8YXiIASYurWW7aYW+1l33jK
+BFWwfFcScUxwBqhAoJpSNAqakSmbqf72FNOclvk66ZPqQu+0OBzjtNp9V/PVHeZ6
+pLeIMYpb9w5miXGPbd2LdoirLqCewphjQtof2NeqUP8/a9KLhNh78+u0wKCpDiUt
+tiBP7j1otqeWXtimT33Nfpo4cPvLAG8SRx6GU1fj570j51/L9fWj6de4zNg08z4J
+ECY9bfLhY+HqqBUP/jnLbmDM2FJQq5osAJEnENg4WpB7oagprs9e9iG0+ipaCRmC
+XOYFCxAyUXGJVatWpH1LjikGuVrHE+Rw1MG2Gicf1OWJRIDUzc8x8NnZSWqt8Vak
+uM0RcJjIAossAf/OrLzOsY83MpcOkPp6r8256ik0bpPYeoOdppsDmD9m6630NfUT
+yd5G6mrvcW1x/OTgxZjTS+1LQa81uYjfQI39ZiW/KIoDs/bYU5hebpVYDSquc+/X
+apJv2ThlPYzGujnEQe/sidzonqzJRFRweWwpFsjBiW8OCw34hWhXRMt4k5usazxy
+Tq9FbPe02VaJpfkuviAFNP6igyb8GjHUtkLqC7VE6PByjVzdicSo115FNm2z3vVQ
+NFcrdm9qp4Vg1i8OqU66hzOu6TgfwFupdj4bL9W4ys9wm4J3rVN2Nv4Rtpn5XUwO
+iWxGW/CO3HhaBILoOEVunyIHv2D/Qg80zNN1xyYNbTC20DBouMFINaHiJPcZRho3
+mBc9V1U3cLsDVunMzuEXmkZP8a86fNrQgnyyxtXHQ30fn+y9M+1um6SvJyJMJsrH
+Qey1avREKeDMaG/kHH3tmsLGAIZhz6LnWhBa/Ih9opYMjsdrjqZoFsMre79mRCTP
+v0WkgBkIuEd8WLvrJ7I3ghstcl8chTNXvme6QBXCd3YkGW4aT6h/9mrMjDK4uQEN
+BFudBGIBCADhSb3x5LM+qdZz6SCWRQfGrleLxh9PcYzkm/L0mibZXBXfx3Jvve4Z
+tuTcPis/4Ym5qTp3W/BCMCMq/VVJqNgb1jUbXmEGLiKr/FWEoHU7suaGZ2DsPwaU
+EByVtOegYQmKlG66jiGvbkOV+PM7780KVtuKUberGL+P9R8P46/buvKMTy+pw3F9
+kEIbTh9gGCzQBvS6FxHBWgtN+MorHewESY4NRfOTCWTwzS4XCFJGTWni/UX81YAu
+sBLcMiI+Ai7ap4700p5bJGXwFkjPsVOzVfVCKV2p1+3ZcuSKwhYmsvL1Bmo1PoZG
+xkLpbTLEPiCl1xUB4MCzJn+RfRHEP/kZABEBAAGJAjYEGAEKACAWIQSsQEwcC/c1
+xj/01WImPW3y4WPh6gUCW50EYgIbDAAKCRAmPW3y4WPh6s5FD/4xjZ+2os4cv4+G
+hyRP+OWRrDswmAzu8xlbz2J+/HpCDpaw2JmvPXkciZAxGyjtAZBKamG4hOFMryPk
+AhHk+WvLrBfQ2sl1tA9uc6+YbIwQ/SiR8T2MybetfT8uTIBmZkFOrJ76e6q/k3yT
+N3PC3rODFPA5Onhx2tzK1SDQ3BdmNZG/RXh3jYI48jlI22Dh8PAuHOrzROGYqeo8
+wtdzTgy1W5+VD0V625iliKAxPMzZY20Vh7wdgLypf2GokS6uF7BpyFDJSGc1N1qt
+tf1V+PglSQgXuRbvxD6a8iZ1nuDjV+tdOcL6MgaWeWMOoWZOkH5Le38nuEKNcZU/
+KE2ouqvhpF6+48Bj9rA+b/YVaYoTwt8t80LZS8KoHYMkyOTjxjm6Q3+WP/Wfue8j
+7U99dslvGD/YEH/wFyyZ9xHKUCBhDRYe4Ewc8LrIUW10D4F5Jqot+FPyi5FmI5F/
+rzUfnMioOjiS4sxc4F9yMqfcVuV0aru3SJYBTrR4WCIJEM9ceUJGEGaYzed5ZXV8
+S6lV3jpWqXRVGuuJ7LpCaNR/WiY/Y5cdIcBmN1KobAxP6B2omaiItSzJ0M8+GqVr
+Nz1/RZZldsUL/wcrBJxOyeTousaTV74/eZNadLrG/Wc6BhDw9MT0ex7WkHG2ZTCB
+uAd8YL5rncwie4Pd69PdufTs5dgLGLkBDQRcNmNiAQgAwsqx2rWkd5HVeGrPmrat
+Kwb5mDvu/j17oXpfiN5nnRmg80aHpAE+ctbo78Ero/gQWigmdlmzjdLuIj1En3e
+lOrCjjWvPfVVwIfvTV47GrPexzFAPBefWMYrPHuxvh6SycfHtPsLO0zdaOs69CEj
+blzf0KZHJT+2iQ1sOnnPTG0GY3S5TMUwzFB6t5XlH54AF/vBwu9nnKfhMefawD7W
+EhxPbxiqP1d4DeRsLIWUINqVhz0/QJFBB5FOQUq+B+mB5G9awH3rbyS5ujx7cFZ7
+FsoNL+OrkBY4I/xdaKA4S8SrdiKnWctkP3UtuUQw1tCvDiH+A+rAW+P4qZ7j+5Lz
+GwARAQABiQNsBBgBCgAgFiEErEBMHAv3NcY/9NViJj1t8uFj4eoFAlw2Y2ICGwIB
+QAkQJj1t8uFj4erAdCAEGQEKAB0WIQSvYPyjzapt6tFX6jpn4496i6IXcgUCXDZj
+YgAKCRBn4496i6IXcpaIB/4xZOB+VKQtNyp+VYp67RE6YBzlbXq23/fg9vAKZ1R5
+OseVoSQ83lkxfmNC1S8nDePf95DlC+pyubcMpvu42FZn5/zgkSzUJvj7eTKSEpUg
+q3PLDE+3+vtoeXglShdGENmvz3WZm+wLV7YmqhKxAW3jFNt5ciu/BFe6TlKti0vI
+02+RZhyALPiiR5uwmR/MJoejnKQ0Mj46l7L0lB7yOcilj+jOcQiYCCW9DHHQUwYT
+9tal5HK3EE7WblRSKKgo1XjZnoM8CSht4LTH6w8PFESxlx0S85Vt+Cx1H7jQiwfD
+sT/poCMNDpkXzS6nYd3sAEJ5FJiR74s3qJgCbVXzib/3B70QAKGapT8LDwlGqSyy
+ORBXmJKq+uLoCY09H6eBNjFR43+g3qdhCkq1u0aI1T9IXtnk33rw4hycKzhkYHxI
+IG9pSjDyI4w5eFzR3wK836Tra8cmtsnJv+cD7tV6voxM8AJwBcwR1COZRVURlpkF
+7kvBfiJs/C5Z/AdAXCXoUjKloSjgoTil3EOJqHY8q86YDddelcEKg+xVP/uAjTgG
+m2qFQWAuOx2vajoAusKwgw/5Zi12iln02Obwqm8QSoLAM9/I45sBwbtjbgpnNTo3
+3tNIETIDuGeGXgjwRnsTAsc9aNlq8iU8Elci722pg1uoCzDNxxgkT4BAdYkc+Xxj
+KpTOtLfKbZcKRz2Us6E1czhFJAYy4LJ1LCDxhfG/qs6n3agC2dCO5tIqr1Z5ZH7h
+Vu1AkbH1Ygo2UEVeU46ciBnxZnsnlWW3dXtknnWk/ex+vo+6qj0LbNZnPXr0r4MX
+G4QgAbNJzP4lTjguoLETWMg07mRgKPzWKQqf2lW6U+ssAbB4kbapck9MfXAw9Yhq
+oD6kJJwPx8Wq/c4I05lXO8Ib/8Eex3DN3KS1+B2SSQo9KuO3vDfxTmMnz346a9Lx
+bNlZv/D9OGL4wj7I0uBF3k8lrB4DYC892GQbRu1EeGW1BUj05HFo/XF0yv1sa6q8
+/9/6U5Iz+fgwUfMwonpPImyKev/D
+=asWG
+-----END PGP PUBLIC KEY BLOCK-----
--- a/crun.spec
+++ b/crun.spec
@ -0,0 +1,108 @@
+#
+# spec file for package crun
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%ifarch x86_64 aarch64
+%if 0%{?suse_version} >= 1600
+%define with_wasmedge 1
+%else
+%define with_wasmedge 0
+%endif
+%else
+%define with_wasmedge 0
+%endif
+
+Name:           crun
+Version:        1.19.1
+Release:        0
+Summary:        OCI runtime written in C
+License:        GPL-2.0-or-later
+URL:            https://github.com/containers/crun
+Source0:        %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1:        %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+# From <https://github.com/giuseppe.gpg>. See <https://github.com/containers/crun/issues/1423>.
+Source2:        %{name}.keyring
+# We always run autogen.sh
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gcc
+BuildRequires:  gettext
+BuildRequires:  glibc-devel-static
+BuildRequires:  go-md2man
+BuildRequires:  libcap-devel
+BuildRequires:  libprotobuf-c-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  libtool
+BuildRequires:  libyajl-devel
+BuildRequires:  make
+BuildRequires:  python3
+BuildRequires:  python3-libmount
+BuildRequires:  systemd-devel
+%ifnarch %{ix86}
+BuildRequires:  criu-devel >= 3.15
+%endif
+%ifarch x86_64 aarch64
+BuildRequires:  libkrun-devel
+Requires:       libkrun1
+%endif
+%if %with_wasmedge
+BuildRequires:  wasmedge-devel
+%endif
+
+%description
+crun is a runtime for running OCI containers. It is built with libkrun support
+
+%prep
+%autosetup -p1
+
+%build
+%ifarch x86_64 aarch64
+export LIBKRUN="--with-libkrun"
+%endif
+%if %with_wasmedge
+export WASMEDGE="--with-wasmedge"
+%endif
+
+./autogen.sh
+%configure --disable-silent-rules $LIBKRUN $WASMEDGE CFLAGS='-I %{_includedir}/libseccomp'
+%make_build
+
+# TODO:
+# - it would be nice to enable the test-suite, but seems to behave (and fail!)
+#   differently when run inside of an OBS worker, with respect to when it's
+#   run manually on the host... Need to investigate more.
+#%%dnl %%check
+#make test-suite.log
+
+%install
+%make_install
+rm -rf %{buildroot}/%{_libdir}/lib*
+
+%files
+%license COPYING
+%doc README.md
+%doc SECURITY.md
+%{_bindir}/%{name}
+%ifarch x86_64 aarch64
+%{_bindir}/krun
+%endif
+%if %with_wasmedge
+%{_bindir}/crun-wasm
+%endif
+%{_mandir}/man1/*
+
+%changelog