From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id oC9IAQopFGB4XgAA0tVLHw (envelope-from ) for ; Fri, 29 Jan 2021 15:26:02 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id YKKwOAkpFGDeMgAAB5/wlQ (envelope-from ) for ; Fri, 29 Jan 2021 15:26:01 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 047569404D5 for ; Fri, 29 Jan 2021 15:26:00 +0000 (UTC) Received: from localhost ([::1]:45004 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l5Vep-0005h1-Pt for larch@yhetil.org; Fri, 29 Jan 2021 10:25:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55760) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5Ve6-0005fT-TM for guix-devel@gnu.org; Fri, 29 Jan 2021 10:25:14 -0500 Received: from baptiste.telenet-ops.be ([2a02:1800:120:4::f00:13]:55238) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l5Ve3-00024w-CV for guix-devel@gnu.org; Fri, 29 Jan 2021 10:25:14 -0500 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by baptiste.telenet-ops.be with bizsmtp id NfR6240010mfAB401fR61Z; Fri, 29 Jan 2021 16:25:06 +0100 Message-ID: Subject: Re: Potential security weakness in Guix services From: Maxime Devos To: guix-devel@gnu.org Date: Fri, 29 Jan 2021 16:25:00 +0100 In-Reply-To: References: Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-c0H2dvf+j+EHKp5ezr8S" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1611933906; bh=bD4VsgayBUut5OTCpy+hgslfMF/fLcmB3D20ovdn6ug=; h=Subject:From:To:Date:In-Reply-To:References; b=AMp+/8s++Ly27sxkl63woyK1Sqt5LVX+pM1KoziNH9AaRpH+WItbrFgCK3ELULT1e Qh3rkjXpoWl0EKhgLPyQp4oKjsWR5TrmrPXDOw1s/r9mP61FtPG4QhIbIy+fmSIcUU n6YWdzL9/92/YvEzlEgHIukVMcB+ch0q4uJOJ4EPU/nZq+M++/R1B1xxmw6hf1XqQj qrSH67XqirkdfbJ8e3NTSzsf/jM95k9AuzXRHyLXGq0m+7yGpPoLooPWI7+v5eNW7W 2t16UbdIlRhRvr249ljtgQduZ2+WtWP7zZaEhiCKCmikd1jyugRmePV7LIL8rZ0+Um qkpVe3lojlKZg== Received-SPF: pass client-ip=2a02:1800:120:4::f00:13; envelope-from=maximedevos@telenet.be; helo=baptiste.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -5.05 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b="AMp+/8s+"; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 047569404D5 X-Spam-Score: -5.05 X-Migadu-Scanner: scn1.migadu.com X-TUID: NkcY05F3qutM --=-c0H2dvf+j+EHKp5ezr8S Content-Type: multipart/mixed; boundary="=-VvFIQ6bil6xkBihFzCUH" --=-VvFIQ6bil6xkBihFzCUH Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2021-01-29 at 14:33 +0100, Maxime Devos wrote: > Hi Guix, > [...] > > Below is a summary of their messages, including a mitigation proposal. > > Your feedback is requested! >=20 > I'm writing a patch right now. It's a little more elaborate than my > mkdir-p/own proposal. In the patch, directories with owner, group > and permission bits are created via extensions to a =E2=80=98fs-entry-ser= vice-type=E2=80=99, > which will perform various basic consistency checks at build time > (e.g., no directory can be owned by multiple users). >=20 > I'll post a draft when it's ready. [First draft is attached, with many parts missing, it doesn't even compile] I think I've got a basic idea on how to handle this. Some problems to address: * Guile does not have =E2=80=98openat, mkdirat=E2=80=99 procedures. How to resolve: implement these upstream, write FFI bindings, or use 'chdir' carefully. * Verify whether symlinks are handled correctly. (stat vs lstat vs fstatat ...) * Perhaps O_NOCTTY, O_NOLINK, O_NOTRANS, O_NONBLOCK, O_DIRECTORY, O_NOFOLLOW ... need to be used at some places. * Maybe fsync needs to be used in some places. The service definitions don't seem to do that anywhere when chmodding and chowning, so not implementing this shouldn't be a regression, but it does seem like something to verify. * On some Linux versions and filesystems, the use of O_TMPFILE might simplify reasoning about security properties, race windows, etc., but idk if it's supported on the Hurd, and which (linux version, filesystem) combinations are supported. * Mounting filesystems. Can all filesystems used by services when activating be assumed to be up? idk.=20 * Support more security stuff (SELinux, SMACK, POSIX ACL, ...) Something for the far future, perhaps? Perhaps I should just implement the basic mkdir-p/own proposal for now, and in the future something more elaborate can be implemented? All but the last two points probably still apply, though. I'll take a look at how other systems handle this. Maxime --=-VvFIQ6bil6xkBihFzCUH Content-Disposition: attachment; filename="directory-setup.scm" Content-Transfer-Encoding: base64 Content-Type: text/x-scheme; name="directory-setup.scm"; charset="UTF-8" Ozs7IEdOVSBHdWl4IC0tLSBGdW5jdGlvbmFsIHBhY2thZ2UgbWFuYWdlbWVudCBmb3IgR05VCjs7 OyBDb3B5cmlnaHQgwqkgMjAyMSBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ Cjs7Owo7OzsgVGhpcyBmaWxlIGlzIHBhcnQgb2YgR05VIEd1aXguCjs7Owo7OzsgR05VIEd1aXgg aXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeSBp dAo7OzsgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBh cyBwdWJsaXNoZWQgYnkKOzs7IHRoZSBGcmVlIFNvZnR3YXJlIEZvdW5kYXRpb247IGVpdGhlciB2 ZXJzaW9uIDMgb2YgdGhlIExpY2Vuc2UsIG9yIChhdAo7OzsgeW91ciBvcHRpb24pIGFueSBsYXRl ciB2ZXJzaW9uLgo7OzsKOzs7IEdOVSBHdWl4IGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRo YXQgaXQgd2lsbCBiZSB1c2VmdWwsIGJ1dAo7OzsgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhv dXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgo7OzsgTUVSQ0hBTlRBQklMSVRZIG9yIEZJ VE5FU1MgRk9SIEEgUEFSVElDVUxBUiBQVVJQT1NFLiAgU2VlIHRoZQo7OzsgR05VIEdlbmVyYWwg UHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KOzs7Cjs7OyBZb3Ugc2hvdWxkIGhhdmUg cmVjZWl2ZWQgYSBjb3B5IG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZQo7OzsgYWxv bmcgd2l0aCBHTlUgR3VpeC4gIElmIG5vdCwgc2VlIDxodHRwOi8vd3d3LmdudS5vcmcvbGljZW5z ZXMvPi4KKGRlZmluZS1tb2R1bGUgKGdudSBzZXJ2aWNlcyBmcy1lbnRyeSkKICAjOnVzZS1tb2R1 bGUgc3R1ZmYgLi4uKQo7OzsKOzs7IENyZWF0ZSBkaXJlY3Rvcnkgc3RydWN0dXJlcyBmb3Igc2Vy dmljZXMgd2l0aCBzZWN1cml0eSBjb250ZXh0LAo7Ozsgd2l0aG91dCByYWNlIGNvbmRpdGlvbnMu ICBTeW1ib2xpYyBsaW5rcyBhcmUgbm90IGZvbGxvd2VkLgo7OzsKCjs7IFZhbHVlcyBwYXNzZWQg aW4gZXh0ZW5zaW9ucyB0byBAY29kZXtmcy1lbnRyeS1zZXJ2aWNlLXR5cGV9Lgo7OyBUT0RPIG1h eWJlIGFsc28gYWxsb3cgZGVmaW5pbmcgU0VMaW51eCwgU01BQ0sgYW5kIFBPU0lYIEFDTC4KKGRl ZmluZS1yZWNvcmQtdHlwZSogPGZzLWVudHJ5PgogIGZzLWVudHJ5IG1ha2UtZnMtZW50cnkgZnMt ZW50cnk/CiAgKHdoZXJlIGZzLWVudHJ5LXdoZXJlKSA7IC9uYW1lL29mL2ZpbGUKICAoYml0cyAg ZnMtZW50cnktYml0cykgOyBwZXJtaXNzaW9uIGJpdHMKICAodHlwZSAgZnMtZW50cnktdHlwZSkg OyBkaXJlY3RvcnksIHJlZ3VsYXIgb3Igc3ltbGluawogIChvd25lciBmcy1lbnRyeS1vd25lcikg OyBvd25lciwgYXMgYSBzdHJpbmcKICAoZ3JvdXAgZnMtZW50cnktZ3JvdXApKSA7IGdyb3VwLCBh cyBhIHN0cmluZwoKOzsgTGlrZXdpc2UsIGJ1dCBjb252ZXJ0ZWQgdG8gYSB0cmVlIHN0cnVjdHVy ZS4KKGRlZmluZS1yZWNvcmQtdHlwZSogPGZzLWVudHJ5L3RyZWU+CiAgZnMtZW50cnkvdHJlZSBt YWtlLWZzLWVudHJ5L3RyZWUgZnMtZW50cnkvdHJlZT8KICAobmFtZSAgICAgZnMtZW50cnkvdHJl ZS13aGVyZSkgOyBiYXNlbmFtZQogIChiaXRzICAgICBmcy1lbnRyeS90cmVlLWJpdHMpIDsgcGVy bWlzc2lvbiBiaXRzCiAgKHR5cGUgICAgIGZzLWVudHJ5L3RyZWUtdHlwZSkgOyBkaXJlY3Rvcnks IHJlZ3VsYXIgb3Igc3ltbGluawogIChvd25lciAgICBmcy1lbnRyeS90cmVlLW93bmVyKSA7IG93 bmVyLCBhcyBhIHN0cmluZwogIChncm91cCAgICBmcy1lbnRyeS90cmVlLWdyb3VwKSA7IGdyb3Vw LCBhcyBhIHN0cmluZwogIDs7IGJvb2xlYW4sIGZvciB3aGVuIDxmcy1lbnRyeT4gZm9yIC9hL2Ig aXMgZGVmaW5lZCwKICA7OyBidXQgbm90IDxmcy1lbnRyeT4gZm9yIC8gYW5kIC9hIGFyZSBkZWZp bmVkLCBpbiB3aGljaCBjYXNlCiAgOzsgYSDigJhmaWxsZXI/4oCZIDxmcy1lbnRyeS90cmVlPiBm b3IgLyBhbmQgL2EgYXJlIGNyZWF0ZWQKICA7OyBpbiBmcy1lbnRyaWVzLT50cmVlLCB3aGljaCBo YXZlIGFzIGNoaWxkIC9hIGFuZCAvYS9iCiAgOzsgcmVzcGVjdGl2ZWx5LgogIDs7CiAgOzsgKE5v dGU6IHRoZSBzZWN1cml0eSBjb250ZXh0IGZvciAvIGlzIGN1cnJlbnRseSBpZ25vcmVkKQogIChm aWxsZXI/ICBmcy1lbnRyeS90cmVlLWZpbGxlcj8KICAgICAgICAgICAgKGRlZmF1bHQgI2YpKQog IDs7IGxpc3Qgb2Yga25vd24gY2hpbGRyZW4KICAoY2hpbGRyZW4gZnMtZW50cnktY2hpbGRyZW4p KQoKKGRlZmluZSAlZGlyZWN0b3J5LXNlcGFyYXRvciAjXC8pCihkZWZpbmUgKGZzLWVudHJ5LW5h bWUtY29tcG9uZW50cyB4KQogIChzdHJpbmctc3BsaXQgKGZzLWVudHJ5LXdoZXJlIHgpICVkaXJl Y3Rvcnktc2VwYXJhdG9yKSkKCihkZWZpbmUgKGZzLWVudHJpZXMtPnRyZWUgbGlzdCkKICAiVHJh bnNsYXRlIEB2YXJ7bGlzdH0sIGEgbGlzdCBvZiBAY29kZXtmcy1lbnRyeX0sIGludG8gYSB0cmVl CnN0cnVjdHVyZSAob2YgPGZzLWVudHJ5L3RyZWU+KS4iCiAgOzsgU29ydCBsaXN0IHRvIHByZXBh cmUgZm9yIGEgZGVwdGgtZmlyc3QgY29uc3RydWN0aW9uCiAgKGRlZmluZSAobGlzdDw/IGNvbXBv bmVudDw/IHggeSkKICAgIChjb25kICgoYW5kIChudWxsPyB4KSAobnVsbD8geSkpICNmKQoJICAo KG51bGw/IHgpICN0KQoJICAoKG51bGw/IHkpICNmKQoJICAoKGNvbXBvbmVudDw/IChjYXIgeCkg KGNhciB5KSkgI3QpCgkgICgoY29tcG9uZW50PD8gKGNhciB5KSAoY2FyIHgpKSAjZikKCSAgKGVs c2UgKGxpc3Q8PyBjb21wb25lbnQ8PyAoY2RyIHgpIChjZHIgeSkpKSkpCiAgKGRlZmluZSAoZW50 cnk8PyB4IHkpCiAgICAobGlzdDw/IHN0cmluZzw/CiAgICAgICAgICAgIChmcy1lbnRyeS1uYW1l LWNvbXBvbmVudHMgeCkKICAgICAgICAgICAgKGZzLWVudHJ5LW5hbWUtY29tcG9uZW50cyB5KSkp CiAgKGRlZmluZSBzb3J0ZWQgKHNvcnQgbGlzdCBlbnRyeTw/KSkKICA7OyBOb3cgY29uc3RydWN0 IHRoZSB0cmVlLgogIDs7IFhYWCBpbnNlcnQgZmlsbGVyIGZvciA/Pz8KICBYWFgKICA7OyBYWFgg bWFrZSBzdXJlIHRoZXJlIGFyZSBubyBpbmNvbnNpc3RlbmNpZXMKICA7OyBYWFggcHJldmVudCBz b21lIHNjcmV3LXVwcyBzdWNoIGFzIGNob3duaW5nIG9yIGNobW9kZGluZwogIDs7IGVudHJpZXMg ZnJvbSAvZ251L3N0b3JlLy4uLi4gTWF5YmUgdGhhdCdzIHByZXZlbnRlZAogIDs7IGJ5IGJpbmQt bW91bnRpbmcgYW55d2F5LgogIDs7IChlLmcuIGEgc3ltbGluayBhbmQgZGlyZWN0b3J5IHdpdGgg dGhlIHNhbWUgbmFtZSkuCiAgKQoKKGRlZmluZSAodHJlZS0+YWxpc3QgdHJlZSkKICBgKChuYW1l IC4gLChmcy1lbnRyeS90cmVlLW5hbWUgdHJlZSkpCiAgICAoYml0cyAuICwoZnMtZW50cnkvdHJl ZS1iaXRzIHRyZWUpKQogICAgKHR5cGUgLiAsKGZzLWVudHJ5L3RyZWUtdHlwZSB0cmVlKSkKICAg IChvd25lciAuICwoZnMtZW50cnkvdHJlZS1vd25lciB0cmVlKSkKICAgIChncm91cCAuICwoZnMt ZW50cnkvdHJlZS1ncm91cCB0cmVlKSkKICAgIChmaWxsZXI/IC4gLChmcy1lbnRyeS90cmVlLWZp bGxlcj8gdHJlZSkpKSkKCihkZWZpbmUqIChmcy1lbnRyeS1hY3RpdmF0aW9uIHRyZWUpCiAgOzsg WFhYIGZvciBlZmZpY2llbmN5IHJlYXNvbnMsIGl0IG1pZ2h0IGJlIHVzZWZ1bCB0byBpbXBsZW1l bnQKICA7OyBzb21lIHNvcnQgb2YgY2FjaGluZyBtZWNoYW5pc20gdG8gYXZvaWQgbG9va2luZyB1 cCBhIHVpZC9naWQKICA7OyBtdWx0aXBsZSB0aW1lcyBmcm9tIHVzZXIgbmFtZSAvIHVzZXIgZ2lk LgogICN+KGxldCogKChyb290IChvcGVuICIvIiBPX1JET05MWSkpCiAgICAgICAgICAgKHJlZiAg KGxhbWJkYSAoc2V4cC10cmVlIG9iaikpKSkKICAgICAgKHVzZS1tb2R1bGVzIChzcmZpIHNyZmkt MjYpKQogICAgICA7OyBYWFggZHluYW1pYy13aW5kIHN0dWZmIHRvIGNsb3NlIGRpcmVjdG9yaWVz CiAgICAgIDs7IGFuZCBsZWF2ZXMuCiAgICAgIDs7IFhYWCBiaW5kaW5ncyB0byBvcGVuYXQsIG9y IHVzZSBjaGRpcgogICAgICAoZGVmaW5lIChhY3RpdmF0ZS1jaGlsZHJlbiEgcGFyZW50LWZkIHBh cmVudC10cmVlKQogICAgICAgIChmb3ItZWFjaCAoY3V0ZSBhY3RpdmF0ZS1jaGlsZCEgcGFyZW50 LWZkIDw+KQogICAgICAgICAgICAgICAgICAoYXNzcS1yZWYgcGFyZW50LXRyZWUgJ2NoaWxkcmVu KSkpCiAgICAgIChkZWZpbmUgKGFjdGl2YXRlLWNoaWxkISBwYXJlbnQtZmQgY2hpbGQtdHJlZSkK ICAgICAgICAobGV0KiAoKG5hbWUgKGFzc3EtcmVmIGNoaWxkLXRyZWUgJ25hbWUpKQogICAgICAg ICAgICAgICAoY2hpbGQKICAgICAgICAgICAgICAgIDs7IFhYWCBkZWZpbmUKICAgICAgICAgICAg ICAgIChmYWxzZS1pZi1ub3QtZm91bmQKICAgICAgICAgICAgICAgICAob3BlbmF0IHBhcmVudC1m ZCAoZnMtZW50cnkvdHJlZS1uYW1lIGNoaWxkLXRyZWUpKSkpKQogICAgICAgICAgKGlmIGNoaWxk IDs7IGFscmVhZHkgZXhpc3RzCiAgICAgICAgICAgICAgKG1heWJlLWZpeHVwLWNoaWxkISBjaGls ZCBjaGlsZC10cmVlKQogICAgICAgICAgICAgIChjcmVhdGUtY2hpbGQhIHBhcmVudC1mZCBuYW1l IGNoaWxkLXRyZWUpKSkpCiAgICAgIChkZWZpbmUgKG1heWJlLWZpeHVwLWNoaWxkISBjaGlsZCBj aGlsZC10cmVlKQogICAgICAgIDs7IEZpcnN0IGNoZWNrIGlmIGFueSBjaGFuZ2VzIG5lZWQgdG8g YmUgbWFkZS4KICAgICAgICA7OyBJZiBub3QsIGRvbid0IHBlcmZvcm0gYW55IHdyaXRlIEkvTy4K ICAgICAgICA7OyBYWFggd2hhdCBoYXBwZW5zIGlmIGNoaWxkIGlzIGEgc3ltYm9saWMgbGluaz8K ICAgICAgICA7OyBYWFggaGFuZGxlIChhc3NxLXJlZiBjaGlsZCAnZmlsbGVyPykKICAgICAgICAo bGV0KiAoKHN0YXQgKHN0YXQgY2hpbGQpKQogICAgICAgICAgICAgICAoY2hpbGQ6Yml0cyAoYXNz cS1yZWYgY2hpbGQtdHJlZSAnYml0cykpCiAgICAgICAgICAgICAgIChjaGlsZDp1aWQgKHh4eCAo YXNzcS1yZWYgY2hpbGQtdHJlZSAndWlkKSkpCiAgICAgICAgICAgICAgIChjaGlsZDpnaWQgKHh4 eCAoYXNzcS1yZWYgY2hpbGQtdHJlZSAnZ2lkKSkpCiAgICAgICAgICAgICAgIChiaXRzLW9rPyAo PSAoc3RhdDpwZXJtcyBjaGlsZCkgY2hpbGQ6Yml0cykpCiAgICAgICAgICAgICAgIChvd25lci1v az8gKD0gKHN0YXQ6dWlkIGNoaWxkKSBjaGlsZDp1aWQpKQogICAgICAgICAgICAgICAoZ3JvdXAt b2s/ICg9IChzdGF0OmdpZCBjaGlsZCkgY2hpbGQ6Z2lkKSkKICAgICAgICAgICAgICAgKHR5cGUt b2s/IChlcT8gKHN0YXQ6dHlwZSBjaGlsZCkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg KGFzc3EtcmVmIGNoaWxkLXRyZWUgJ3R5cGUpKSkpCiAgICAgICAgICA7OyBYWFggaWYgcHJvZ3Jh bXMgaG9sZCBvcGVuIGZpbGVzIHRvIHNvbWUgZmlsZXMsCiAgICAgICAgICA7OyB3aGljaCBhcmVu J3QgcGVybWl0dGVkIGJ5IHRoZSBuZXcgY29uZmlndXJhdGlvbiwKICAgICAgICAgIDs7IHRoZW4g dGhlc2UgcHJvZ3JhbXMgPz8/CiAgICAgICAgICA7OyBYWFggbG9nIHN0dWZmIHBlcmhhcHMKICAg ICAgICAgIChjb25kICgobm90IHR5cGUtb2s/KSAoeHh4LXdoYXQtbm93KSkKICAgICAgICAgICAg ICAgIDs7IEVhc3ksIG5vIHJpc2sgb2YgYWNjaWRlbnRhbGx5IGNyZWF0aW5nCiAgICAgICAgICAg ICAgICA7OyBhIHNldHVpZC9zZXRnaWQgYmluYXJ5LgogICAgICAgICAgICAgICAgKChhbmQgZ3Jv dXAtb2s/IG93bmVyLW9rPyAobm90IGJpdHMtb2s/KSkKICAgICAgICAgICAgICAgICAoY2htb2Qg Y2hpbGQgY2hpbGQ6Yml0cykKICAgICAgICAgICAgICAgICAoYWN0aXZhdGUtY2hpbGRyZW4hIGNo aWxkIGNoaWxkLXRyZWUpKQogICAgICAgICAgICAgICAgOzsgWFhYIHRoaXMgcmVsaWVzIG9uIHRo ZSBMaW51eCBiZWhhdmlvdXIKICAgICAgICAgICAgICAgIDs7IG9mIGNsZWFyaW5nIHNldHVpZCBh bmQgc2V0Z2lkIGF0IGNob3duCiAgICAgICAgICAgICAgICA7OyAoaW4gc29tZSBjYXNlcyksIGNo ZWNrIHRoZSBiZWhhdmlvdXIKICAgICAgICAgICAgICAgIDs7IG9uIHRoZSBIdXJkIGFuZCBMaW51 eAogICAgICAgICAgICAgICAgKChub3QgKGFuZCBncm91cC1vaz8gb3duZXItb2s/KSkKICAgICAg ICAgICAgICAgICA7OyBYWFggY2hlY2sgYmVoYXZpb3VyIG9uIHN5bWJvbGljIGxpbmtzCiAgICAg ICAgICAgICAgICAgKGNob3duIGNoaWxkIGNoaWxkOnVpZCBjaGlsZDpnaWQpCiAgICAgICAgICAg ICAgICAgKGNobW9kIGNoaWxkIGNoaWxkOmJpdHMpCiAgICAgICAgICAgICAgICAgKGFjdGl2YXRl LWNoaWxkcmVuISBjaGlsZCBjaGlsZC10cmVlKSkKICAgICAgICAgICAgICAgIDs7IEV2ZXJ5dGhp bmcgaXMgT0shICBEZXNjZW5kIGRvd24gdGhlIHRyZWUuCiAgICAgICAgICAgICAgICAoKGFuZCBi aXRzLW9rPyBvd25lci1vaz8gZ3JvdXAtb2s/IHR5cGUtb2s/KQogICAgICAgICAgICAgICAgIChh Y3RpdmF0ZS1jaGlsZHJlbiEgY2hpbGQgY2hpbGQtdHJlZSkpCiAgICAgICAgICAgICAgICAoZWxz ZSAoWFhYLUktbWlzc2VkLWEtY2FzZSkpKSkpCiAgICAgIChkZWZpbmUgKGNyZWF0ZS1jaGlsZCEg cGFyZW50LWZkIG5hbWUgY2hpbGQtdHJlZSkKICAgICAgICAoY2FzZSAoYXNzcS1yZWYgY2hpbGQt dHJlZSAndHlwZSkKICAgICAgICAgICgocmVndWxhcikKICAgICAgICAgICA7OyBYWFggZGVmYXVs dCBjb250ZW50cz8gTWF5YmUgYWxsb3cgaW5jbHVkaW5nCiAgICAgICAgICAgOzsgYSBnZXhwICN+ KGxhbWJkYSAoZmlsZS1mZCkgZG8tc3R1ZmYpCiAgICAgICAgICAgOzsgaW4gdGhlIDxmcy1lbnRy eT4/CiAgICAgICAgICAgeHh4LT8/Py1yZWd1bGFyKQogICAgICAgICAgKChkaXJlY3RvcnkpCiAg ICAgICAgICAgOzsgWFhYIGhhbmRsZSBmaWxsZXI/CiAgICAgICAgICAgOzsgWFhYIGNoZWNrIHNl Y3VyaXR5IGltcGxpY2F0aW9ucyBvZiBzdGlja3ktYml0CiAgICAgICAgICAgKG1rZGlyYXQgcGFy ZW50LWZkIG5hbWUgKGFzc3EtcmVmIGNoaWxkLXRyZWUgJ2JpdHMpKQogICAgICAgICAgIChjaG93 biB4eHgtdGhlLWp1c3QtY3JlYXRlZC1kaXIgKGFzc3EtcmVmIGNoaWxkLXRyZWUgJ293bmVyKSkK ICAgICAgICAgICAoYWN0aXZhdGUtY2hpbHJlbiEgeHh4LXRoZS1qdXN0LWNyZWF0ZWQtZGlyIGNo aWxkLXRyZWUpKQogICAgICAgICAgOzsgWFhYIHRhcmdldD8gIEFsc28sIGRvZXMgYW55IHNlcnZp Y2UgYWN0dWFsbHkgcmVxdWlyZQogICAgICAgICAgOzsgdGhpcz8KICAgICAgICAgICgoc3ltbGlu aykgeHh4LT8/Py1zeW1saW5rKQogICAgICAgICAgKGVsc2UgPz8/KSkpCiAgICAgIChjYWxsLXdp dGgtc2F2ZWQtdW1hc2sKICAgICAgIChsYW1iZGEgKCkKICAgICAgICAgOzsgUHJldmVudCBhIHJh Y2Ugd2luZG93cyB3ZXJlIG5ld2x5LWNyZWF0ZWQgZGlyZWN0b3JpZXMKICAgICAgICAgOzsgYXJl IHRlbXBvcmFyaWx5IHdvcmxkLWV4ZWN1dGFibGUgd2hlcmUgaW5hcHByb3ByaWF0ZS4KICAgICAg ICAgKHVtYXNrICNvNzc3KQogICAgICAgICAoYWN0aXZhdGUtY2hpbGRyZW4hIHJvb3QgdHJlZSkp KSkpCgooZGVmaW5lIGZzLWVudHJ5LXNlcnZpY2UtdHlwZQogIChzZXJ2aWNlLXR5cGUgKG5hbWUg J2ZzLWVudHJpZXMpCiAgICAgICAgICAgICAgICAoZXh0ZW5zaW9ucwogICAgICAgICAgICAgICAg IChsaXN0IChzZXJ2aWNlLWV4dGVuc2lvbiBhY3RpdmF0aW9uLXNlcnZpY2UtdHlwZQogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmcy1lbnRyeS1hY3RpdmF0aW9uKSkp CiAgICAgICAgICAgICAgICAoY29tcG9zZSBjb25jYXRlbmF0ZSkKICAgICAgICAgICAgICAgIChl eHRlbmQgYXBwZW5kKQogICAgICAgICAgICAgICAgKGRlc2NyaXB0aW9uCiAgICAgICAgICAgICAg ICAgIkNyZWF0ZSBkaXJlY3Rvcnkgc3RydWN0dXJlcywgd2l0aCBwZXJtaXNzaW9uCmJpdHMsIG93 bmVyIGFuZCBncm91cHMgKHRvZ2V0aGVyIGNhbGxlZCB0aGUgc2VjdXJpdHkgY29udGV4dCksCndp dGhvdXQgcmFjZSBjb25kaXRpb25zLiAgVGhlIHZhbHVlIG9mIHRoaXMgc2VydmljZSBpcyBhIGxp c3QKb2YgQGNvZGV7ZnMtZW50cnl9LiAgVGhlIG9sZCBzZWN1cml0eSBjb250ZXh0IGlzIG92ZXJ3 cml0dGVuCmF0IGFjdGl2YXRpb24gdGltZSwgYW5kIHNvbWUgaW5jb25zaXN0ZW5jaWVzIGFyZSBk ZXRlY3RlZCBhdApidWlsZCB0aW1lLgoKSWYgc29tZSBwYXJlbnQgZGlyZWN0b3JpZXMgb2YgYSBA Y29kZXtmcy1lbnRyeX0gYXJlIG5vdApleHBsaWNpdGVseSBzcGVjZmllZCwgaXQgaXMgcmVxdWly ZWQgKGF0IGFjdGl2YXRpb24gdGltZSkKdGhleSBhcmUgcm9vdC1vd25lZCAoYm90aCB1c2VyIGFu ZCBncm91cCkgYW5kCndvcmxkLXVud3JpdGFibGUuIikpKQo= --=-VvFIQ6bil6xkBihFzCUH-- --=-c0H2dvf+j+EHKp5ezr8S Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYBQozBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7kV9AQDtiAybMoGDMm6qgUxtPqEJNir9 imkXlUnQAaE3yTJ2CgD+LBIcbBsNq3OtDK7i6hjsFahd8PYzCXDi7SEIhjKkSAk= =TMCY -----END PGP SIGNATURE----- --=-c0H2dvf+j+EHKp5ezr8S--