From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 302F916DA1; Fri, 31 Oct 2025 20:32:14 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id D145F16D1A; Fri, 31 Oct 2025 20:32:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb134.google.com (mail-yx1-xb134.google.com [IPv6:2607:f8b0:4864:20::b134]) by atuin.qyliss.net (Postfix) with ESMTPS id D4C0516D18 for ; Fri, 31 Oct 2025 20:32:09 +0000 (UTC) Received: by mail-yx1-xb134.google.com with SMTP id 956f58d0204a3-63e17c0fefbso3062428d50.1 for ; Fri, 31 Oct 2025 13:32:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761942723; x=1762547523; darn=spectrum-os.org; h=autocrypt:in-reply-to:content-language:references:cc:to:subject :from:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=Rd0iy9V53WtUbdi0HErxHW0OekWCfSqFgvWUgn83Ifw=; b=EYP07L8G/EjShXNMF7Db7/Pd+5VkGuB3+IVYtrYoU2EF5J+jp3WZGzcefFREib8GmO 8CMyQcZzN5Jjs6hEys5a1z9/upCHLWw6/s5/t1LF4jyQqIUPVcF/myZFmUL+tT6JMG64 CThuVLknLC8lwTKaY3RQuvFhNM/LF3Eg2hlt6pl5OM70bgf3lshMv99uGpQtWs0Si6E6 eEBMFoeD9U/18f4Spr77c99z+d48kNFKeGlzpdh6e5y6a4cTP/23eKV/CnKCa+aXU836 oYMwhG70nQqkiiIY6zfZLtF/IGxZIByzSQ2WyvqieUjb9wpO+XyTKStqCTcXoARQ7G6d cB+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761942723; x=1762547523; h=autocrypt:in-reply-to:content-language:references:cc:to:subject :from:user-agent:mime-version:date:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Rd0iy9V53WtUbdi0HErxHW0OekWCfSqFgvWUgn83Ifw=; b=UzP2/TsDOaZDi8SP522aAU3kHKq+UX7cq3E0OwetAwcr8SjRRHt5IeuDKKvXbXxorj Iq5dO5tccwXkgJOkSjfQxl5qtnxQPk1t5537Hh4w2+NHbiKyGysMKxpf3881SIz/d/sM kwwZ+2/E9ziSzfQTPQuE6De4FddE7g05rWX3k8VXKth74tkYjNG9CIlJ4YF97KJZT2rh afQb7/vzHhamwbob80D8DSAkkmAhGFpMP9Iab4zieGWVPhctnFQmcEKnIA2n+gefanr4 QmrXsEbdJjlLYfRgsjAZ1FkciO9MIv8RgGJOir6aQky1VqRRdDwLHilntag8zIgcrRJE RgPw== X-Gm-Message-State: AOJu0YymL3YTT8BQrBugbHkcglX4qpS2k9FaF8myhsclqqUqg+6khHCK /uoQF1YTTT352lbvz7FuJUbOlaGO5WErXwgdPI5HzFyjaONyAFbV0z1sOb9I9w== X-Gm-Gg: ASbGnctQ2mOa/zoGPguw5vNXE8AfK27zyan/HmwYIatySapXvEFLO9HTe13WeQG/Apz l2dNKpYB3PiiyEJ3FbdlkcMpZAMLpQuTi5eaRyiv8IzroxFuOmjHptJM+xcd28cXy4M+ke3+2pj LvRsW24GSSeF27KOXu8RPZ/xBbzVOFtY8WyGk1mf0NHzYbLYn7uPyx8uQzCOkm7pIyiaZyRUdFk 0y8j++txs1cWXVP+1rtofY+M5F1f5yW6dUNTtvRWlXpcbhJ0NSUZkbcIO1odDLhiMC2xdCsXkRx K0f9sRL1Gcpd0eM2lz6SjWAyd8KCOuIvdeXLyF9RcIaEq4IWYMnCQK8FT3E+yYA1uvKd4KyaOIS H62ndgP9kr9WMdb3sDHHRtsMYOTN/4jUWap+NpxyXuEx5XIMm7kHjpyeYJAzIpz4UqcMDTpG7i2 UBrY6oDl9GOHp9jsm6pXBdaz9xehbdGebxCBsEi43X+wWPaq7LY0O6H4GtrgvLUc/tRgNMl4zhy E7GCyrjPP56ewJawnrq1ifCfzB4bsFULtocSg== X-Google-Smtp-Source: AGHT+IG3E8XviV8Ew7kSV2NEXpzxTyW7DicXHP2AMhRW5S3ccjsapDmahEQZ77/a3er06x0ErQsOrQ== X-Received: by 2002:a53:cf50:0:b0:63f:7da8:6b93 with SMTP id 956f58d0204a3-63f92320a9dmr2981120d50.55.1761942723102; Fri, 31 Oct 2025 13:32:03 -0700 (PDT) Received: from [10.138.34.110] (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7864bd8b95bsm8251667b3.20.2025.10.31.13.32.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 31 Oct 2025 13:32:02 -0700 (PDT) Message-ID: <72921587-e951-4bfb-b68e-5cb05fc32609@gmail.com> Date: Fri, 31 Oct 2025 16:31:58 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Demi Marie Obenour Subject: Re: [PATCH 3/7] tools: Add directory checker for updates To: Alyssa Ross References: <20251029-updates-v1-0-401c1be2a11b@gmail.com> <20251029-updates-v1-3-401c1be2a11b@gmail.com> <87sef1kjbk.fsf@alyssa.is> Content-Language: en-US In-Reply-To: <87sef1kjbk.fsf@alyssa.is> Autocrypt: addr=demiobenour@gmail.com; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------J5ASHmhtceyzcMXzd1vMFYLU" Message-ID-Hash: WKBE2AP2Y2PE7FYEJYJS4MJYUJ3ULYXX X-Message-ID-Hash: WKBE2AP2Y2PE7FYEJYJS4MJYUJ3ULYXX X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------J5ASHmhtceyzcMXzd1vMFYLU Content-Type: multipart/mixed; boundary="------------qf1LHKElenqbUznICCoeBgTC"; protected-headers="v1" From: Demi Marie Obenour To: Alyssa Ross Cc: Spectrum OS Development Message-ID: <72921587-e951-4bfb-b68e-5cb05fc32609@gmail.com> Subject: Re: [PATCH 3/7] tools: Add directory checker for updates References: <20251029-updates-v1-0-401c1be2a11b@gmail.com> <20251029-updates-v1-3-401c1be2a11b@gmail.com> <87sef1kjbk.fsf@alyssa.is> In-Reply-To: <87sef1kjbk.fsf@alyssa.is> Autocrypt-Gossip: addr=hi@alyssa.is; keydata= xsFNBFpSgoYBEAC4xkCYidG2JlRWulUkTWcx0pHFDf3oSbb6Q872Kb3iDChWgluNVz43hva1 3xfDo9foV0GoyfGl/ycSCkXX5hlQr7ir/5FN38E7H/yY6tH8+l68iDgIOcb1qY0OYaxyg+Lz WesfFQedrmwNTbF4L1BtWzrTR5PflDdhDo5VWSguHGJFSclchcr/6UmMb/gOUN+2ElBC2TE2 EKY099phZ6DJZ2aZCsclwKIdCpZzXlEmXPAeaH5om6xo90JYv5+sFji40R0Plqec3WC+jTxy lGca6IbPdOminuUF+GvsR86eVsgh/0XNK7/zus7gyc4PuMUA1rCoeHcWOBDPgmelgCQyJGXd /bXeKuUsGoge58uc7/YNvOh1vfpD3AaEMqAyXfmmUwBnIicml74+2eOpH3Oljfs01g+DhkOB MtpVSZSgaIDvP0WG6cbAxImoUasnmNxEDNskfVmI8bsajPW9bt4z5hiP5Q9G3vE0D5HcIFdM adOz81PpOwNiUXcjtYV1PWZQ56jbSTOf8EBvsB71WwB+XgVWcPzIlY8hAykiHIO87oV3o71U JTAn1Foj7mjSADnY0deleOmar/K5jrK3wvKKM1XlB7PXcGBdkorJC+cbxVsw0ADzMw0c7bVc wEE7OFvHjQiIK1lO+lb1cvGBBY3IZxjsjZdA/VsFHFdAeYlzNQARAQABzRpBbHlzc2EgUm9z cyA8aGlAYWx5c3NhLmlzPsLBlwQTAQgAQQIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZ ARYhBHVzVtd5u7iIdz5BXnNszfnvUb2XBQJoh9HmBQkOtoJgAAoJEHNszfnvUb2XFxAP/jF7 Rxuspytz7VwOA/y5WQe/FdPNRvyRUzj66ZzfuaG++md14LWcrvbb2hHLdS5ePdKoOaqC3xhK Ncy/5RVd4pD5N4AY7O5228JKDO8GGWEl3rupOCmYQL9P8GpsdGt2xkFqbu4HrFzMTzl6nvKN GtvhBSCkAW3v7wTwPf2rkjX8f+clmRZn4YLfojaBCT/ZFjmJkQSWZ+2rUZOxjgZgckLkplu8 LVILVdaHNLkOrxbKQLuuVyEkN+/YrshyJP4a7Z/Tnw+3eZcaLuLOxBHpWOAAgJZ8kL+V7BxK DlTywv/OOr0CoNi9zjH3VgRiJ1961K/DocjA50pWBilMUs4jGp9omhkAOwdNV2hi+Zj/GXaD kgvBlE313DGWzgW0RauL8j5/GULgphwm5UOHXb/5yM9pRw87kfQ/+zQuHpguoXSGkUv0kSID 88kUGlNxy1kkTsSYG2UTKLmLDPuUGOUDGaNUzD+J49MogSLTmvHUIYNs0jFmpLyhVoTtSi/I VQQpHyk9ucAZd2OLxChm3RBJhAbmGw3rhUxx6B8SHwcBcJDttGyYF2GZj9AYAGlU/Fm1Itoi NwJD0vQnSZ//25l+XJehpeeixsqydj00gksHWEFaIEgCYyC6JfmGS4HtuUcv76vc2vLCv5aH hJVHHKGs+kiKJ2+r7bCNwvW0doVePdByzjgEZyd/yxIKKwYBBAGXVQEFAQEHQCVxoiHOlsEo NDKGCbxg4nL3E1CV0MRQCU1hPowd77h3AwEIB8LBfAQYAQoAJgIbDBYhBHVzVtd5u7iIdz5B XnNszfnvUb2XBQJoh9HXBQkB4YUCAAoJEHNszfnvUb2XgvAP+gIIKR3KatmwuUcla1RN6tUc 0Ae9eqS1cbSEDj8a14fnvUHtlCEO5g4m2PvPn7L2o7047ppl5100+zGMocXWslnDFJJVeAOp xzlhZ48DFMxkZkjtLY2fRrj1tOtzrTRikV0/UsaVs9tMPMEsVu/FH0exMoNELcqEVUgcRRpd XYXC9zgDUcM4+JRH8hDOiC51JRvdkXcokAXphuCY3J996i8Ph+kg6xMqscePscvvltR68jcT HHDOiOQtzjJRKQ6BHUzYdIRixcq210sabfZGJVT+7BfHI5qiUwfoG3DXSJygviN3I/EfnSbD 6T0Ccv/G6wQPHO4Vyn+egrMOU/HUrCKuq/b0rYvI8pTtRWAxIHkFZoKVB8I8Rl8+riGiEUAh Ja0bU4iOg7vR5Bm8Gt/tR6KjClyBI5NN1M1haFgVXqZ3dsQDpBjivbDHbUsAXVsd00y0B4Ir 8muvII9eJOwbTyqcG9RJbflquPp+FPlgiy9pYj52PB0NwzLYqX0fOWU8IqQF3bWtdJIb4Zat XnfqYtJ/wCaJTU43N3+/TIdqNA4G3WbyRYsCnz/kkf1ARmxoq3r29dOl8OnNHEvB1+hBlNBk d+cLpsYdTxa63OpbNDpm/unX1sEpOYy04dL5Y8B1Xbh+rQFNySq4Ani2dl5N1OsrjgzZ+wkl k2wOTWzl7wFH --------------qf1LHKElenqbUznICCoeBgTC Content-Type: multipart/mixed; boundary="------------WCs2IROPQtDcK56hvgAVMkaO" --------------WCs2IROPQtDcK56hvgAVMkaO Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 10/29/25 08:01, Alyssa Ross wrote: > Demi Marie Obenour writes: >=20 >> Spectrum OS's host has no network access. Updates must be downloaded = by >> VMs. The downloads are placed into a bind-mounted directory. The VM >> can write whatever it wants into that directory. This includes symlin= ks >> that subsequent code might open, which would create a path traversal >> vulnerability. It also includes paths with names containing containin= g >> terminal escape sequences, newlines, or other nastiness. Furthermore,= >> the directory should not have any subdirectories either. >> >> Add a simple C program that checks for such ugliness and indicates >> (via its exit code) if the VM misbehaved. It also ensures that both >> SHA256SUMS and SHA256SUMS.gpg are present. >> >> Signed-off-by: Demi Marie Obenour >> --- >> host/rootfs/Makefile | 6 +- >> lib/kcmdline-utils.mk | 6 ++ >> tools/default.nix | 1 + >> tools/meson.build | 1 + >> tools/updates-dir-check/meson.build | 4 ++ >> tools/updates-dir-check/updates-dir-check.c | 94 ++++++++++++++++++++= +++++++++ >> 6 files changed, 110 insertions(+), 2 deletions(-) >=20 > I still don't really understand why this needs to be a C program instea= d > of find -H /path/to/dir -not -type f. None of the other checks seem > very necessary? I trust this code more than I trust (especially) the Busybox implementation of find. >> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile >> index 00d125774bb7b98736d0928c69cb307740cee034..15752286f5924291768f06= 55a12b90c702730520 100644 >> --- a/host/rootfs/Makefile >> +++ b/host/rootfs/Makefile >> @@ -62,6 +62,9 @@ build/fifo: >> build/empty: >> mkdir -p $@ >> =20 >> +build/etc: >> + mkdir -p $@ >> + >> # s6-rc-compile's input is a directory, but that doesn't play nice >> # with Make, because it won't know to update if some file in the >> # directory is changed, or a file is created or removed in a >> @@ -69,8 +72,7 @@ build/empty: >> # including files that aren't intended to be part of the input, like >> # temporary editor files or .license files. So for all these reasons= , >> # only explicitly listed files are made available to s6-rc-compile. >> -build/etc/s6-rc: $(S6_RC_FILES) file-list.mk >> - mkdir -p $$(dirname $@) >> +build/etc/s6-rc: $(S6_RC_FILES) file-list.mk build/etc >> rm -rf $@ >> set -uo pipefail && dir=3D$$(mktemp -d) && \ >> { tar -c $(S6_RC_FILES) | tar -C $$dir -x --strip-components 3; = } && \ >> diff --git a/lib/kcmdline-utils.mk b/lib/kcmdline-utils.mk >> new file mode 100644 >> index 0000000000000000000000000000000000000000..fa228552e583f15fc77a74= 6985060ad5d04cdf2c >> --- /dev/null >> +++ b/lib/kcmdline-utils.mk >> @@ -0,0 +1,6 @@ >> +# SPDX-License-Identifier: EUPL-1.2+ >> +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross >> +READ_ROOTHASH =3D { \ >> + set -eufo pipefail; \ >> + read -r version < ../../version; \ >> + LC_ALL=3DC expr "x$$version" : '^\(x0\|x[1-9][0-9]*\)\(\.\(0\|[1-9][= 0-9]*\)\)\{2\}$$' >/dev/null; } >=20 > None of these changes seem to have anything to do with this patch. Did= > they end up in here by mistake? Correct. >> diff --git a/tools/default.nix b/tools/default.nix >> index ca165b5ec8ae1a63b75af4a34f33e320b262ba7b..e644f4e710e56f32de27ea= 10047cba3cffd0ecdf 100644 >> --- a/tools/default.nix >> +++ b/tools/default.nix >> @@ -78,6 +78,7 @@ stdenv.mkDerivation (finalAttrs: { >> ./start-vmm >> ./subprojects >> ./sd-notify-adapter >> + ./updates-dir-check >> ] ++ lib.optionals driverSupport [ >> ./xdp-forwarder >> ])); >> diff --git a/tools/meson.build b/tools/meson.build >> index 5d0ae81042fd3d77646594500f32cb1d48a6af0c..7da3bb451a5f1a797bc7e5= 0a67c44dbd37ba60bf 100644 >> --- a/tools/meson.build >> +++ b/tools/meson.build >> @@ -28,6 +28,7 @@ if get_option('host') >> subdir('lsvm') >> subdir('start-vmm') >> subdir('sd-notify-adapter') >> + subdir('updates-dir-check') >> endif >> =20 >> if get_option('app') >> diff --git a/tools/updates-dir-check/meson.build b/tools/updates-dir-c= heck/meson.build >> new file mode 100644 >> index 0000000000000000000000000000000000000000..e19691d0e35f8a051e8979= 90f0376384b3625c1a >> --- /dev/null >> +++ b/tools/updates-dir-check/meson.build >> @@ -0,0 +1,4 @@ >> +# SPDX-License-Identifier: EUPL-1.2+ >> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> + >> +executable('updates-dir-check', 'updates-dir-check.c', install: true,= c_args: ['-D_GNU_SOURCE=3D1', '-UNDEBUG', '-Wno-error=3Dpedantic']) >=20 > How are -Werror=3Dpedantic and -DNDEBUG getting enabled in the first pl= ace? I believe Meson sets -DNDEBUG in some cases. >> diff --git a/tools/updates-dir-check/updates-dir-check.c b/tools/updat= es-dir-check/updates-dir-check.c >> new file mode 100644 >> index 0000000000000000000000000000000000000000..94c7d54bec38d6efbd5b8a= ca257f3ec4ad3fae35 >> --- /dev/null >> +++ b/tools/updates-dir-check/updates-dir-check.c >> @@ -0,0 +1,94 @@ >> +// SPDX-License-Identifier: EUPL-1.2+ >> +// SPDX-FileCopyrightText: 2025 Demi Marie Obenour >> +#include >> +#include >> +#include >> +#include >> + >> +#include >> +#include >> +#include >> +#include >> + >> +#include >> +#include >> +#include >> + >> +#include >> + >> +static void checkdir(int fd) >> +{ >> + DIR *d =3D fdopendir(fd); >> + if (d =3D=3D NULL) >> + err(1, "fdopendir"); >=20 > Usually we use EXIT_FAILURE. Will fix in v2. >> + bool found_sha256sums =3D false; >> + bool found_sha256sums_gpg =3D false; >> + for (;;) { >> + errno =3D 0; >> + struct dirent *entry =3D readdir(d); >> + if (entry =3D=3D NULL) { >> + if (errno) >> + err(1, "readdir"); >> + break; >> + } >> + assert(entry->d_reclen > offsetof(struct dirent, d_name)); >> + size_t len =3D strnlen(entry->d_name, entry->d_reclen - offsetof(st= ruct dirent, d_name)); >> + assert(len < entry->d_reclen - offsetof(struct dirent, d_name)); >> + assert(len > 0); Will fix in v2. >> + if (entry->d_name[0] =3D=3D '.') >> + if (len =3D=3D 1 || (len =3D=3D 2 && entry->d_name[1] =3D=3D '.'))= >> + continue; >> + if (strcmp(entry->d_name, "SHA256SUMS") =3D=3D 0) { >> + found_sha256sums =3D true; >> + continue; >> + } >> + if (strcmp(entry->d_name, "SHA256SUMS.gpg") =3D=3D 0) { >> + found_sha256sums_gpg =3D true; >> + continue; >> + } >> + unsigned char c =3D (unsigned char)entry->d_name[0]; >> + if (!((c >=3D 'A' && c <=3D 'Z') || >> + (c >=3D 'a' && c <=3D 'z'))) >> + errx(1, "Filename must begin with an ASCII letter"); >> + for (size_t i =3D 1; i < len; ++i) { >> + c =3D (unsigned char)entry->d_name[i]; >> + if (!((c >=3D 'A' && c <=3D 'Z') || >> + (c >=3D 'a' && c <=3D 'z') || >> + (c >=3D '0' && c <=3D '9') || >> + (c =3D=3D '_') || >> + (c =3D=3D '-') || >> + (c =3D=3D '.'))) { >> + if (c >=3D 0x20 && c <=3D 0x7E) >> + errx(1, "Forbidden subsequent character in filename: '%c'", (int= )c); >> + else >> + errx(1, "Forbidden subsequent character in filename: byte %d", (= int)c); >> + } >> + } >=20 > Why do we care? Surely we don't expect systemd-sysupdate to put > filenames unescaped into a shell or something. Prevent escape sequence injection into terminals and logs is the main reason. Qubes OS has similar checks in some places, though they are off by default for file copying. >> + if (entry->d_name[len - 1] =3D=3D '.') >> + errx(1, "Filename must not end with a '.'"); >> + if (entry->d_type !=3D DT_REG) >> + errx(1, "Entry contains non-regular file %s", entry->d_name); >> + } >> + if (!found_sha256sums) >> + errx(1, "SHA256SUMS not found"); >> + if (!found_sha256sums_gpg) >> + errx(1, "SHA256SUMS.gpg not found"); >> + closedir(d); >> +} >> + >> +int main(int argc, char **argv) >> +{ >> + for (int i =3D 1; i < argc; ++i) { >> + // Avoid symlink attacks. >> + struct open_how how =3D { >> + .flags =3D O_DIRECTORY|O_RDONLY|O_CLOEXEC|O_NOFOLLOW, >> + .resolve =3D RESOLVE_NO_SYMLINKS|RESOLVE_NO_MAGICLINKS, >> + }; >=20 > For opening files given on the command line, wouldn't we want to use th= e > mount's symlink behaviour? The VM presumably can't replace the root > directory shared with it with a symlink. Right now, the directory shared is actually the parent of the directory with the updates. This is because of a limitation in the updated start-vm script. As you point out later, that's not the best approach. Much better to bind-mount only the directories needed. >> + int fd =3D (int)syscall((long)SYS_openat2, (long)AT_FDCWD, (long)ar= gv[i], >> + (long)&how, (long)sizeof(how)); >> + if (fd < 0) >> + err(1, "open(%s)", argv[i]); >> + checkdir(fd); >> + } >> + return 0; >> +} --=20 Sincerely, Demi Marie Obenour (she/her/hers) --------------WCs2IROPQtDcK56hvgAVMkaO Content-Type: application/pgp-keys; name="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Disposition: attachment; filename="OpenPGP_0xB288B55FFF9C22C1.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49y B+l2nipdaq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYf bWpr/si88QKgyGSVZ7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/ UorR+FaSuVwT7rqzGrTlscnTDlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7M MPCJwI8JpPlBedRpe9tfVyfu3euTPLPxwcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9H zx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR6h3nBc3eyuZ+q62HS1pJ5EvU T1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl5FMWo8TCniHynNXs BtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2Bkg1b//r 6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nS m9BBff0Nm0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQAB zTxEZW1pIE9iZW5vdXIgKElUTCBFbWFpbCBLZXkpIDxhdGhlbmFAaW52aXNpYmxl dGhpbmdzbGFiLmNvbT7CwY4EEwEIADgWIQR2h02fEza6IlkHHHGyiLVf/5wiwQUC X6YJvQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCyiLVf/5wiwWRhD/0Y R+YYC5Kduv/2LBgQJIygMsFiRHbR4+tWXuTFqgrxxFSlMktZ6gQrQCWe38WnOXkB oY6n/5lSJdfnuGd2UagZ/9dkaGMUkqt+5WshLFly4BnP7pSsWReKgMP7etRTwn3S zk1OwFx2lzY1EnnconPLfPBc6rWG2moA6l0WX+3WNR1B1ndqpl2hPSjT2jUCBWDV rGOUSX7r5f1WgtBeNYnEXPBCUUM51pFGESmfHIXQrqFDA7nBNiIVFDJTmQzuEqIy Jl67pKNgooij5mKzRhFKHfjLRAH4mmWZlB9UjDStAfFBAoDFHwd1HL5VQCNQdqEc /9lZDApqWuCPadZN+pGouqLysesIYsNxUhJ7dtWOWHl0vs7/3qkWmWun/2uOJMQh ra2u8nA9g91FbOobWqjrDd6x3ZJoGQf4zLqjmn/P514gb697788e573WN/MpQ5XI Fl7aM2d6/GJiq6LC9T2gSUW4rbPBiqOCeiUx7Kd/sVm41p9TOA7fEG4bYddCfDsN xaQJH6VRK3NOuBUGeL+iQEVF5Xs6Yp+U+jwvv2M5Lel3EqAYo5xXTx4ls0xaxDCu fudcAh8CMMqx3fguSb7Mi31WlnZpk0fDuWQVNKyDP7lYpwc4nCCGNKCj622ZSocH AcQmX28L8pJdLYacv9pU3jPy4fHcQYvmTavTqowGnM08RGVtaSBNYXJpZSBPYmVu b3VyIChsb3ZlciBvZiBjb2RpbmcpIDxkZW1pb2Jlbm91ckBnbWFpbC5jb20+wsF4 BBMBAgAiBQJafgNKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCyiLVf /5wiwYa/EACv8a2+MMou9cSCNoZBQaU+fTmyzft9hUE+0d5W2UY1RY3OsjFIzm9R /4SVccfsqOYLEo+S0vQMIIIqFEq3FCpXXwPzyimotps05VA8U3Bd7yseojFygOgK sAMOAee2RCaDDOnoJue01dfZMzzHPO/TVdp3OvnpWipfv5G1Xg96rwbhMLE3tg6N xwAHa31Bv4/Xq8CJOoIWvx6fcmZQpz01/lSvsYn0KrfEbTKkuUf0vM9JrCTCP2oz VNN5BYzqaq2M4r+jmSyeXLim922VOWqGkUEQ85BSEemqrRS06IU6NtEMsF8EWt/b hWjk/9GDKTcnpdJHTrMxTspExBiNrvpI2t+YPU5B/dJJAUxvmhFrbSIbdB8umBZs I3AMYrEmpAbh5x7jEjoskUC7uN3o9vpg1oCLS2ePDLtAtyBtbHnkA4xGD7ar8mem xpH9lY/i+sC6CyyIUWcUDnnagKyJP0m9ks0GLsTeOCA0bft2XA6rD6aaCnMUsndT ctrab42CV5XypjmC4U1rPJ8JQJUh1/3P48/8sMH+3krxpJ06KNWNFaUbaMTGiltZ 7x9DngklSYrX0T+2G4kVXNmjaljwkoLahwLla2gUWwBSyofXdqyhQdwZsp01KXNQ UCyT/Pg+aDcm/E7OMV3d4lf7g/CSxiX2GSEe6BlhSz+Lmd7ZJ3g32M1ARGVtaSBN YXJpZSBPYmVub3VyIChJVEwgRW1haWwgS2V5KSA8ZGVtaUBpbnZpc2libGV0aGlu Z3NsYWIuY29tPsLBjgQTAQgAOBYhBHaHTZ8TNroiWQcccbKItV//nCLBBQJgOEV+ AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJELKItV//nCLBKwoP/1WSnFdv SAD0g7fD0WlF+oi7ISFT7oqJnchFLOwVHK4Jg0e4hGn1ekWsF3Ha5tFLh4V/7UUu obYJpTfBAA2CckspYBqLtKGjFxcaqjjpO1I2W/jeNELVtSYuCOZICjdNGw2Hl9yH KRZiBkqc9u8lQcHDZKq4LIpVJj6ZQV/nxttDX90ax2No1nLLQXFbr5wb465LAPpU lXwunYDij7xJGye+VUASQh9datye6orZYuJvNo8Tr3mAQxxkfR46LzWgxFCPEAZJ 5P56Nc0IMHdJZj0Uc9+1jxERhOGppp5jlLgYGK7faGB/jTV6LaRQ4Ad+xiqokDWp mUOZsmA+bMbtPfYjDZBz5mlyHcIRKIFpE1l3Y8F7PhJuzzMUKkJi90CYakCV4x/a Zs4pzk5E96c2VQx01RIEJ7fzHF7lwFdtfTS4YsLtAbQFsKayqwkGcVv2B1AHeqdo TMX+cgDvjd1ZganGlWA8Sv9RkNSMchn1hMuTwERTyFTr2dKPnQdA1F480+jUap41 ClXgn227WkCIMrNhQGNyJsnwyzi5wS8rBVRQ3BOTMyvGM07j3axUOYaejEpg7wKi wTPZGLGH1sz5GljD/916v5+v2xLbOo5606j9dWf5/tAhbPuqrQgWv41wuKDi+dDD EKkODF7DHes8No+QcHTDyETMn1RYm7t0RKR4zsFNBFp+A0oBEAC9ynZI9LU+uJkM eEJeJyQ/8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd 8xD57ue0eB47bcJvVqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPp I4gfUbVEIEQuqdqQyO4GAe+MkD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalq l1/iSyv1WYeC1OAs+2BLOAT2NEggSiVOtxEfgewsQtCWi8H1SoirakIfo45Hz0tk /Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJriwoaRIS8N2C8/nEM53jb1sH 0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcNfRAIUrNlatj9Txwi vQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6dCxN0GNA ORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog 2LNtcyCjkTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZA grrnNz0iZG2DVx46x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJ ELKItV//nCLBwNIP/AiIHE8boIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwj jVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGjgn0TPtsGzelyQHipaUzEyrsceUGWYoKX YyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8frRHnJdBcjf112PzQSdKC6kqU0 Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2E0rW4tBtDAn2HkT9 uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHMOBvy3Ehz fAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVss Z/rYZ9+51yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aW emLLszcYz/u3XnbOvUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPt hZlDnTnOT+C+OTsh8+m5tos8HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj 6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E+MYSfkEjBz0E8CLOcAw7JIwAaeBTzsFN BGbyLVgBEACqClxh50hmBepTSVlan6EBq3OAoxhrAhWZYEwN78k+ENhK68KhqC5R IsHzlL7QHW1gmfVBQZ63GnWiraM6wOJqFTL4ZWvRslga9u28FJ5XyK860mZLgYhK 9BzoUk4s+dat9jVUbq6LpQ1Ot5I9vrdzo2p1jtQ8h9WCIiFxSYy8s8pZ3hHh5T64 GIj1m/kY7lG3VIdUgoNiREGf/iOMjUFjwwE9ZoJ26j9p7p1U+TkKeF6wgswEB1T3 J8KCAtvmRtqJDq558IU5jhg5fgN+xHB8cgvUWulgK9FIF9oFxcuxtaf/juhHWKMO RtL0bHfNdXoBdpUDZE+mLBUAxF6KSsRrvx6AQyJs7VjgXJDtQVWvH0PUmTrEswgb 49nNU+dLLZQAZagxqnZ9Dp5l6GqaGZCHERJcLmdY/EmMzSf5YazJ6c0vO8rdW27M kn73qcWAplQn5mOXaqbfzWkAUPyUXppuRHfrjxTDz3GyJJVOeMmMrTxH4uCaGpOX Z8tN6829J1roGw4oKDRUQsaBAeEDqizXMPRc+6U9vI5FXzbAsb+8lKW65G7JWHym YPOGUt2hK4DdTA1PmVo0DxH00eWWeKxqvmGyX+Dhcg+5e191rPsMRGsDlH6KihI6 +3JIuc0y6ngdjcp6aalbuvPIGFrCRx3tnRtNc7He6cBWQoH9RPwluwARAQABwsOs BBgBCgAgFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmbyLVgCGwICQAkQsoi1X/+c IsHBdCAEGQEKAB0WIQSilC2pUlbVp66j3+yzNoc6synyUwUCZvItWAAKCRCzNoc6 synyU85gD/0T1QDtPhovkGwoqv4jUbEMMvpeYQf+oWgm/TjWPeLwdjl7AtY0G9Ml ZoyGniYkoHi37Gnn/ShLT3B5vtyI58ap2+SSa8SnGftdAKRLiWFWCiAEklm9FRk8 N3hwxhmSFF1KR/AIDS4g+HIsZn7YEMubBSgLlZZ9zHl4O4vwuXlREBEW97iL/FSt VownU2V39t7PtFvGZNk+DJH7eLO3jmNRYB0PL4JOyyda3NH/J92iwrFmjFWWmmWb /Xz8l9DIs+Z59pRCVTTwbBEZhcUc7rVMCcIYL+q1WxBG2e6lMn15OQJ5WfiE6E0I sGirAEDnXWx92JNGx5l+mMpdpsWhBZ5iGTtttZesibNkQfd48/eCgFi4cxJUC4PT UQwfD9AMgzwSTGJrkI5XGy+XqxwOjL8UA0iIrtTpMh49zw46uV6kwFQCgkf32jZM OLwLTNSzclbnA7GRd8tKwezQ/XqeK3dal2n+cOr+o+Eka7yGmGWNUqFbIe8cjj9T JeF3mgOCmZOwMI+wIcQYRSf+e5VTMO6TNWH5BI3vqeHSt7HkYuPlHT0pGum88d4a pWqhulH4rUhEMtirX1hYx8Q4HlUOQqLtxzmwOYWkhl1C+yPObAvUDNiHCLf9w28n uihgEkzHt9J4VKYulyJM9fe3ENcyU6rpXD7iANQqcr87ogKXFxknZ97uEACvSucc RbnnAgRqZ7GDzgoBerJ2zrmhLkeREZ08iz1zze1JgyW3HEwdr2UbyAuqvSADCSUU GN0vtQHsPzWl8onRc7lOPqPDF8OO+UfN9NAfA4wl3QyChD1GXl9rwKQOkbvdlYFV UFx9u86LNi4ssTmU8p9NtHIGpz1SYMVYNoYy9NU7EVqypGMguDCL7gJt6GUmA0sw p+YCroXiwL2BJ7RwRqTpgQuFL1gShkA17D5jK4mDPEetq1d8kz9rQYvAR/sTKBsR ImC3xSfn8zpWoNTTB6lnwyP5Ng1bu6esS7+SpYprFTe7ZqGZF6xhvBPf1Ldi9UAm U2xPN1/eeWxEa2kusidmFKPmN8lcT4miiAvwGxEnY7Oww9CgZlUB+LP4dl5VPjEt sFeAhrgxLdpVTjPRRwTd9VQF3/XYl83j5wySIQKIPXgT3sG3ngAhDhC8I8GpM36r 8WJJ3x2yVzyJUbBPO0GBhWE2xPNIfhxVoU4cGGhpFqz7dPKSTRDGq++MrFgKKGpI ZwT3CPTSSKc7ySndEXWkOYArDIdtyxdE1p5/c3aoz4utzUU7NDHQ+vVIwlnZSMiZ jek2IJP3SZ+COOIHCVxpUaZ4lnzWT4eDqABhMLpIzw6NmGfg+kLBJhouqz81WITr EtJuZYM5blWncBOJCoWMnBEcTEo/viU3GgcVRw=3D=3D =3Dx94R -----END PGP PUBLIC KEY BLOCK----- --------------WCs2IROPQtDcK56hvgAVMkaO-- --------------qf1LHKElenqbUznICCoeBgTC-- --------------J5ASHmhtceyzcMXzd1vMFYLU Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEopQtqVJW1aeuo9/sszaHOrMp8lMFAmkFHMAACgkQszaHOrMp 8lOqbQ//biQgZVPddgUSjjjbPvqU41wdkafJE99vXhkQNynCf2pQyk5EwDRflvDp FPHzttyVxVqO2yJaEST1+wjzuN5P+9nYc6WEnwXoTlP1Prv4pvbrKdvPeTZGEocL uS+T8yP6HMq1qhAuPeItbGF0qVMqLWrEVcFK41FyxTmDnmCUvBsRwkgOtSfJNzUo BSa4v+K55lYuj9oh0tYoVba8+j6/iw4F3HEki6ISVXTL3xFpuN6kmyL98NFdwtYE ZKZB5vlrrQKKtDucgz+Gc6V7XN9f1e36Az7+pR2MyvRZmiuEObd5e2WmB/HSOB6e LjxflfwR2Gg5HUuJzXHolZy6RR8QctE18etKgHT9Ow9q6Bjre5wIMUhPIYggm9Mp WBAqphV2qDNCYhHEEomtWqUI2ZkLlXr4xgx9x9v36IbmNjL1n+xM6DPOOrRmsNmi Jwbk05fuWI/dNTRDNmUOAvGWB0gculTqOhMsgS+VfjfRbmZB53jE+0+q6u4ddrJr MTYEtz4gui7kCNErENRtj66MxPO2CWEyHtKlSnihh9p0m+HHDSEcTq7TQT8Z3WZB AQnl7UQZwFS1lcBS5kWr3bNBB6nUDEwyJ7psiHiMT17h100lj3ya1VKdNstaNgUo rrPxmrbn1dnMkzOTJMgrRsxySMShpbZPQiuCZFAkufQ7s13h3ZQ= =SrzR -----END PGP SIGNATURE----- --------------J5ASHmhtceyzcMXzd1vMFYLU--