20 files changed, 599 insertions, 0 deletions
diff --git a/debian/.gitattributes b/debian/.gitattributes
new file mode 100644
index 0000000..592f8c4
--- /dev/null
+++ b/debian/.gitattributes
@@ -0,0 +1 @@
+/changelog merge=dpkg-mergechangelogs
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..4c8d3dc
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,128 @@
+lacme (0.8.0-2) unstable; urgency=medium
+
+  * d/lacme.postrm: Don't delete system users on purge.  There might be files
+    on disk owned by _lacme-client when 'challenge-directory' is set in the
+    configuration (closes: #988032).
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 04 May 2021 01:37:13 +0200
+
+lacme (0.8.0-1) unstable; urgency=low
+
+  * New upstream release (closes: #970458, #970800, #972456).
+  * The internal webserver now runs as a dedicated system user _lacme-www
+    (and group nogroup) instead of www-data:www-data.  This is configurable
+    in the [webserver] section of the lacme(8) configuration file.
+  * The internal ACME client now runs as a dedicated system user _lacme-client
+    (and group nogroup) instead of nobody:nogroup.  This is configurable in
+    the [client] section of the lacme(8) configuration file.
+  * The _lacme-www and _lacme-client system users are created automatically by
+    lacme.postinst (hence a new Depends: adduser), and deleted on purge.  (So
+    make sure not to chown any file to these internal users.)
+  * d/control: New lacme-accountd Suggests: openssl, gpg (for account key
+    generation and decryption).
+  * Add d/upstream/signing-key.asc, the OpenPGP used to signed upstream tags.
+  * d/control: Bump Standards-Version to 4.5.1 (no changes necessary).
+  * Add d/watch pointing to the upstream repository.
+  * d/gbp.conf: Update upstream tag template.
+  * d/gbp.conf: Update debian and upstream branches in compliance with DEP-14.
+  * d/control: Point Vcs-* to salsa.
+  * Add debian/salsa-ci.yml file.
+  * d/.gitattributes: New file to merge d/changelog with dpkg-mergechangelogs.
+  * Add d/upstream/metadata with Repository and Repository-Browse.
+  * d/control: Remove libtypes-serialiser-perl from lacme's Depends.
+  * d/control: lacme now require openssl 1.1.0 or later.
+  * d/copyright: Bump copyright years.
+  * d/copyright: Point Source: to the upstream repository.
+  * d/control: lacme recommends lacme-accountd 0.8.0-1 or later.
+  * d/lacme.links: Remove /etc/apache2/conf-available/lacme.conf, now part of
+    the upstream build system.
+  * d/lacme.install: include new configuration files and snippets.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 22 Feb 2021 03:31:23 +0100
+
+lacme (0.7-1) unstable; urgency=high
+
+  * New upstream release.  Closes: #975862.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 26 Nov 2020 00:05:55 +0100
+
+lacme (0.6.1-1) unstable; urgency=medium
+
+  * New upstream release.  Closes: #955767, #966958.
+    + Default listening socket for the webserver component is now
+      /run/lacme-www.socket.  (It was previously under the legacy directory
+      /var/run.)
+  * debian/*: Adapt to new build system.
+  * debian/control: Bump debhelper compatibility level to 13.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 04 Aug 2020 01:43:05 +0200
+
+lacme (0.6-3) unstable; urgency=medium
+
+  * New symlink /etc/apache2/conf-available/lacme.conf pointing to
+    /etc/lacme/apache2.conf for use with the a2enconf/a2disconf interface.
+    (Closes: #955859.)
+  * debian/*.{install,manpages}: Copy files from $DESTDIR (debian/tmp) not
+    from the source tree.
+  * debian/control:
+    + Add "Rules-Requires-Root: no".
+    + Add "debhelper-compat (= 12)" to Build-Depends.
+    + Bump Standards-Version to 4.5.0 (no changes necessary).
+  * Rename debian/source.lintian-overrides to debian/source/lintian-overrides.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Sun, 05 Apr 2020 18:26:36 +0200
+
+lacme (0.6-2) unstable; urgency=medium
+
+  * d/control: new dependency for lacme: libtimedate-perl.  (It's currently a
+    reverse dependency of LWP, but we use it explicitly.)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 18 Sep 2019 15:41:03 +0200
+
+lacme (0.6-1) unstable; urgency=medium
+
+  * New upstream release.
+  * d/control: Bump Standards-Version to 4.4.0 (no changes necessary).
+  * d/compat, d/control: Bump debhelper compatibility level to 12.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 21 Aug 2019 23:50:15 +0200
+
+lacme (0.5-1) unstable; urgency=medium
+
+  * New upstream release, adding support for v2 ACME endpoints.
+  * Fix manpage generation with pandoc >=2.1.  (Closes: #896982.)
+  * debian/control:
+    + Bump Standards-Version to 4.1.4.  No changes.
+    + Build-depends: bump minimum pandoc version to 2.1.
+    + Depends (lacme): add libtypes-serialiser-perl
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 09 May 2018 14:17:19 +0200
+
+lacme (0.4-1) unstable; urgency=medium
+
+  * Fix manpage generation with pandoc >=1.18.  (Closes: #869885.)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Fri, 28 Jul 2017 00:24:06 +0200
+
+lacme (0.3-1) unstable; urgency=low
+
+  * New upstream release.
+  * Provide apache2 and nginx configuration snippet in /etc/lacme.
+  * debian/control: Bump Standards-Version to 4.0.0.  No changes.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Sun, 09 Jul 2017 00:41:23 +0200
+
+lacme (0.2-1) unstable; urgency=low
+
+  * New upstream release.
+  * debian/control:
+    + Promote lacme-accountd from lacme's Suggests to Recommends.
+    + Bump Standards-Version to 3.9.8.  No changes.
+
+ -- Guilhem Moulin <guilhem@guilhem.org>  Mon, 05 Dec 2016 16:35:59 +0100
+
+lacme (0.1-1) unstable; urgency=low
+
+  * Initial release.  (Closes: #827357, #827358.)
+
+ -- Guilhem Moulin <guilhem@guilhem.org>  Tue, 08 Dec 2015 18:58:20 +0100
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..3f8a096
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,95 @@
+Source: lacme
+Section: utils
+Priority: optional
+Maintainer: Guilhem Moulin <guilhem@debian.org>
+Build-Depends: debhelper-compat (= 13), jq, pandoc (>= 2.1~)
+Rules-Requires-Root: no
+Standards-Version: 4.6.2
+Homepage: https://git.guilhem.org/lacme/about/
+Vcs-Git: https://salsa.debian.org/debian/lacme.git -b debian/latest
+Vcs-Browser: https://salsa.debian.org/debian/lacme
+
+Package: lacme
+Architecture: all
+Depends: adduser,
+         libconfig-tiny-perl,
+         libjson-perl,
+         libnet-ssleay-perl,
+         libtimedate-perl,
+         libwww-perl,
+         openssl (>= 1.1.0~),
+         ${misc:Depends},
+         ${perl:Depends}
+Recommends: lacme-accountd (>= 0.8.0), liblwp-protocol-https-perl
+Description: ACME client written with process isolation and minimal privileges in mind
+ lacme is an ACME client which can be used to request X.509 certificates from
+ ACME service providers such as Let's Encrypt or ZeroSSL.  The architecture is
+ divided into four components, each with its own executable:
+ .
+  * A process to manage the account key and issue SHA-256 signatures needed for
+    each ACME command.  (This process binds to a UNIX-domain socket to reply to
+    signature requests from the ACME client.)  One can use the UNIX-domain
+    socket forwarding facility of OpenSSH 6.7 and later to run this process on
+    a different host.
+ .
+  * A "master" process, which runs as root and is the only component
+    with access to the private key material of the server keys.  It is used to
+    fork the ACME client (and optionally the ACME webserver) after dropping
+    root privileges.  For certificate issuances, it also generates Certificate
+    Signing Requests, then verifies the validity of the issued certificate, and
+    optionally reloads or restarts services.
+ .
+  * An actual ACME client, which builds ACME commands and dialogues with
+    the remote ACME server.  Since ACME commands need to be signed with the
+    account key, the "master" process passes the UNIX-domain socket of the
+    account key manager to the ACME client: data signatures are requested by
+    writing the data to be signed to the socket.
+ .
+  * For certificate issuances, an optional webserver, which is spawned
+    by the "master" process when no service is listening on the HTTP port.
+    (The only challenge type currently supported is "http-01", which requires a
+    webserver to answer challenges.)  That webserver only processes GET and
+    HEAD requests under the "/.well-known/acme-challenge/" URI.  By default
+    some iptables(8) rules are automatically installed to open the HTTP port,
+    and removed afterwards.
+
+Package: lacme-accountd
+Architecture: all
+Depends: libconfig-tiny-perl, libjson-perl, ${misc:Depends}, ${perl:Depends}
+Recommends: libcrypt-openssl-rsa-perl
+Suggests: gpg, openssl
+Multi-Arch: foreign
+Description: lacme account key manager
+ lacme is an ACME client which can be used to request X.509 certificates from
+ ACME service providers such as Let's Encrypt or ZeroSSL.  The architecture is
+ designed with process isolation and minimal privileges in mind, and is divided
+ into four components:
+ .
+  * A process to manage the account key and issue SHA-256 signatures needed for
+    each ACME command.  (This process binds to a UNIX-domain socket to reply to
+    signature requests from the ACME client.)  One can use the UNIX-domain
+    socket forwarding facility of OpenSSH 6.7 and later to run this process on
+    a different host.
+ .
+  * A "master" process, which runs as root and is the only component
+    with access to the private key material of the server keys.  It is used to
+    fork the ACME client (and optionally the ACME webserver) after dropping
+    root privileges.  For certificate issuances, it also generates Certificate
+    Signing Requests, then verifies the validity of the issued certificate, and
+    optionally reloads or restarts services.
+ .
+  * An actual ACME client, which builds ACME commands and dialogues with
+    the remote ACME server.  Since ACME commands need to be signed with the
+    account key, the "master" process passes the UNIX-domain socket of the
+    account key manager to the ACME client: data signatures are requested by
+    writing the data to be signed to the socket.
+ .
+  * For certificate issuances, an optional webserver, which is spawned
+    by the "master" process when no service is listening on the HTTP port.
+    (The only challenge type currently supported is "http-01", which requires a
+    webserver to answer challenges.)  That webserver only processes GET and
+    HEAD requests under the "/.well-known/acme-challenge/" URI.  iptables(8)
+    rules can optionally be installed to temporarily open the HTTP port.
+ .
+ lacme-accountd is the first (account key manager) component.  It is the only
+ component with access to the account key.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..1e7760e
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,16 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://git.guilhem.org/lacme/
+Upstream-Name: lacme
+
+Files: *
+Copyright: © 2015-2021  Guilhem Moulin <guilhem@fripost.org>
+License: GPL-3+
+
+License: GPL-3+
+ This package is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by the
+ Free Software Foundation; either version 3 of the License, or (at your
+ option) any later version.
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ version 3 can be found in file "/usr/share/common-licenses/GPL-3".
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..97c190b
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,9 @@
+[DEFAULT]
+upstream-branch = upstream
+debian-branch = debian/latest
+upstream-tag = v%(version)s
+debian-tag = debian/%(version)s
+pristine-tar = False
+
+[pq]
+patch-numbers = False
diff --git a/debian/lacme-accountd.NEWS b/debian/lacme-accountd.NEWS
new file mode 100644
index 0000000..a215031
--- /dev/null
+++ b/debian/lacme-accountd.NEWS
@@ -0,0 +1,8 @@
+lacme (0.8.0-1) unstable; urgency=low
+
+    lacme-accountd(1) now loads its configuration file from
+    /etc/lacme/lacme-accountd.conf when running as root, and from
+    $XDG_CONFIG_HOME/lacme/lacme-accountd.conf otherwise.  There is no lookup in
+    the current directory anymore, nor fallback lookup to /etc.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 22 Feb 2021 03:31:23 +0100
diff --git a/debian/lacme-accountd.install b/debian/lacme-accountd.install
new file mode 100644
index 0000000..5288ede
--- /dev/null
+++ b/debian/lacme-accountd.install
@@ -0,0 +1,2 @@
+bin/lacme-accountd usr/bin
+etc/lacme/lacme-accountd.conf etc/lacme
diff --git a/debian/lacme-accountd.manpages b/debian/lacme-accountd.manpages
new file mode 100644
index 0000000..34cd34f
--- /dev/null
+++ b/debian/lacme-accountd.manpages
@@ -0,0 +1 @@
+share/man/man1/lacme-accountd.1
diff --git a/debian/lacme.NEWS b/debian/lacme.NEWS
new file mode 100644
index 0000000..b3c08db
--- /dev/null
+++ b/debian/lacme.NEWS
@@ -0,0 +1,35 @@
+lacme (0.8.0-1) unstable; urgency=low
+
+    The internal webserver now runs as system user _lacme-www:nogroup instead of
+    www-data:www-data by default.  The internal ACME client now runs as system
+    user _lacme-client:nogroup instead of nobody:nogroup by default.  Both
+    settings are configurable in the lacme(8) configuration file.
+
+    lacme(8) loads its configuration file from /etc/lacme/lacme.conf when
+    running as root, and from $XDG_CONFIG_HOME/lacme/lacme.conf otherwise.
+    There is no lookup in the current directory anymore, nor fallback lookup to
+    /etc.
+
+    'challenge-directory' now needs to be set to an *existing* directory
+    (writable by the lacme client user).  Since lacme(8) spawns a builtin
+    webserver by default the change only affects configurations with a custom
+    'challenge-directory' setting.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Mon, 22 Feb 2021 03:31:23 +0100
+
+lacme (0.7-1) unstable; urgency=high
+
+    The certificate indicated by 'CAfile' is no longer used as is in
+    'certificate-chain' (along with the leaf cert).  The chain returned
+    by the ACME v2 endpoint is used instead.  This allows for more
+    flexibility with respect to key/CA rotation.  See for instance
+    https://letsencrypt.org/2020/11/06/own-two-feet.html and
+    https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
+
+   'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt which
+   is a concatenation of all known active CA certificates (which
+   includes the previous default).  Starting December 2020 Let's Encrypt
+   will use a different chain of trust for certificate issuance, so
+   users will a non-default 'CAfile' might need to adjust the value.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Thu, 26 Nov 2020 00:08:32 +0100
diff --git a/debian/lacme.dirs b/debian/lacme.dirs
new file mode 100644
index 0000000..47f5aa9
--- /dev/null
+++ b/debian/lacme.dirs
@@ -0,0 +1 @@
+etc/lacme/lacme-certs.conf.d
diff --git a/debian/lacme.install b/debian/lacme.install
new file mode 100644
index 0000000..f1d7e25
--- /dev/null
+++ b/debian/lacme.install
@@ -0,0 +1,6 @@
+etc/apache2/conf-available/lacme.conf
+etc/lacme/apache2*.conf etc/lacme/nginx*.conf   etc/lacme
+etc/lacme/lacme.conf etc/lacme/lacme-certs.conf etc/lacme
+libexec/lacme usr/libexec
+sbin/lacme usr/sbin
+share/lacme usr/share
diff --git a/debian/lacme.manpages b/debian/lacme.manpages
new file mode 100644
index 0000000..393745a
--- /dev/null
+++ b/debian/lacme.manpages
@@ -0,0 +1 @@
+share/man/man8/lacme.8
diff --git a/debian/lacme.postinst b/debian/lacme.postinst
new file mode 100755
index 0000000..536e37f
--- /dev/null
+++ b/debian/lacme.postinst
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = "configure" ]; then
+    if ! getent passwd _lacme-www >/dev/null; then
+	    adduser --force-badname --system \
+            --home /nonexistent --no-create-home \
+            --gecos "lacme www user" \
+            --quiet _lacme-www || true
+    fi
+    if ! getent passwd _lacme-client >/dev/null; then
+	    adduser --force-badname --system \
+            --home /nonexistent --no-create-home \
+            --gecos "lacme client user" \
+            --quiet _lacme-client || true
+    fi
+fi
+
+#DEBHELPER#
+exit 0
diff --git a/debian/patches/Mention-the-Debian-BTS-in-the-manpages.patch b/debian/patches/Mention-the-Debian-BTS-in-the-manpages.patch
new file mode 100644
index 0000000..24fad20
--- /dev/null
+++ b/debian/patches/Mention-the-Debian-BTS-in-the-manpages.patch
@@ -0,0 +1,44 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Thu, 1 Dec 2016 00:49:17 +0100
+Subject: Mention the Debian BTS in the manpages.
+
+Forwarded: not-needed
+---
+ lacme-accountd.1.md | 6 ++++++
+ lacme.8.md          | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md
+index 4933a78..272cd52 100644
+--- a/lacme-accountd.1.md
++++ b/lacme-accountd.1.md
+@@ -206,6 +206,12 @@ Consult the [`lacme`(8) manual][`lacme`(8)] for a solution involving
+ connecting to `lacme-accountd` on a dedicated remote host.  Doing so
+ enables automatic renewal via [`crontab`(5)] or [`systemd.timer`(5)].
+ 
++Bugs and feedback
++=================
++
++Bugs or feature requests for `lacme-accountd` should be filed with the
++Debian project's bug tracker at <<https://www.debian.org/Bugs/>>.
++
+ See also
+ ========
+ 
+diff --git a/lacme.8.md b/lacme.8.md
+index ad6dab6..33d7e11 100644
+--- a/lacme.8.md
++++ b/lacme.8.md
+@@ -499,6 +499,12 @@ restrictions:
+ 
+     restrict,from="…",command="/usr/bin/lacme-accountd --quiet --stdio" ssh-rsa …
+ 
++Bugs and feedback
++=================
++
++Bugs or feature requests for `lacme` should be filed with the Debian
++project's bug tracker at <<https://www.debian.org/Bugs/>>.
++
+ See also
+ ========
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1c2191a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+Mention-the-Debian-BTS-in-the-manpages.patch
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..9ba6afd
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,9 @@
+#!/usr/bin/make -f
+
+override_dh_auto_build:
+	dh_auto_build -- DESTDIR= exec_prefix=/usr datadir=/usr/share runstatedir=/run \
+		lacme_www_user=_lacme-www lacme_www_group=nogroup \
+		lacme_client_user=_lacme-client lacme_client_group=nogroup
+
+%:
+	dh $@
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..90b2a9c
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,3 @@
+---
+Repository: https://git.guilhem.org/lacme.git
+Repository-Browse: https://git.guilhem.org/lacme
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..8afec53
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,214 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFCXIGYBEADjtahMDYeKpR3aovhSymGabaQFtQMb4idCCZBXcm/QL6QbdCtl
+RGF3FoTeYPxk7wmcAqpA3JV2Hkc0tB+pWOaDJTJFEasNuUlIzcaFnr2VqsLRLiTP
+LWNlnSLbUb8EtyUyaj5qkZY2e0LAUrNXGspNEqTOJUE3j8KXLpxXadjmDKDD4Z8o
+P2X1Qxb2VnNmJ6/T4lpCdTKpQE8gG8qpq2oQXuqoiezO6pudohimvVsKUTXcumlk
+bLgbvnFsb0cMyUCqYuV1XHAGgcyhnolnf4LqLSrh0pxQYo79JUehYBnbRzaEUNwx
+fBuOFsmghkM6IXlEgOy1mWgf2K2f3dsLO0uAtb0Txtw0eztX5r+KLIiJUuSOh19J
+ygFG/fppUGoc2YGq1iSdSGtZfpBS4ntDDZGL+hOb0ZMN4QCooV5PELm0Wx2/onCS
+tteyDH9nU/yvJ9pCsn5flR3jJCNC35AoxJnONZ0KKcVzzdcMG9uCf+PzH1gJi2f/
+Y1yPr8a5kNltKL2jVs5Nut8R8i2UngjipMTWFFP+eJlJm3aQl9EbL31G9j0GnR4Y
+TZFk+MuTSqmZ4ZAzimT7ffDCIZQymrYyGGpJjdJP6bh/KcAZtrAdcj77CKlz0A+Q
+aaJ9hCtERjy2DSn+UqAGdcln7fdaMJ9TrqqAa03wO/QIU5MgJpH14HdHQQARAQAB
+tA5HdWlsaGVtIE1vdWxpbokCVwQTAQoAQQIbAQULCQgHAwUVCgkICwUWAgMBAAIe
+AQIXgAIZARYhBHQg34a84VpFjc6ZdjknjagQnmJEBQJdkJ7ABQkRN9JaAAoJEDkn
+jagQnmJEExoP/jxRyCFWVWt70M2hPG0TWQ37AFTBghVzzAzCDWHJzJJzGc+XDb1d
+AvOFkodli09eKv4lA4CVCwQT7fXgzHZegKfSSttgpArH+OByiQMtV2RwfYnnrpJj
+sHKmo6rZTPf59D743R7wBouqeEbst1Hee1XDWUKRorWRONCrpkCeOd4vnGGEPPSb
+euWnYQyd4TwBDzlF/J+ce3kIHCpUB55EBKCUecdWEezfS7nNb4m8UR0Pu3Esj+x+
+BS3Ezpq3GL9k4PAd3ip1BLuB/6KISltQMoCVo0JEzDqhc+1+Vj4YeIznA0JZORDG
+xAMa3TP2Ssx96KGKlhRqVjnrWnSlJYrNczKf06CEoPGmcq5Lg4hoHLSuGyUrZoiY
+arsm37XRemVcgZJqNYGJMzrEYVsNWpYH0TX/MMkGGVpB9wun0ylKN9NTlVrmYjMT
+HSp8g6/jrGmMnrWtsRsfgZ0aFwggxKRGSXvXl3p/kvCLB04Dt0hjrbGn7kOZq4s4
+VneMLDoLNWmEQTXbpMmcuUneCe8OH8sT7f3/StVSHtoeBycnJG7ITZZRg4VvjLU2
+fmK+03f1JWMektFwEwt1u9wjQNMXRYSRqA9EgkHVuGHdWw+DLsi0V5s3hjhBdCvq
+lGcDILiUM8hHi72tEKeGx7FKdiF2mgY9C+Gb5WArRI9juAPonWe2ofwutCRHdWls
+aGVtIE1vdWxpbiA8Z3VpbGhlbUBmcmlwb3N0Lm9yZz6JAlQEEwEKAD4CGwEFCwkI
+BwMFFQoJCAsFFgIDAQACHgECF4AWIQR0IN+GvOFaRY3OmXY5J42oEJ5iRAUCXZCe
+wAUJETfSWgAKCRA5J42oEJ5iRBGMEACHG+IxN3/GwROdJmJEmtAFG5i8SgIbXe5M
+OpyYxojL4JUCZ9hB1dDm7nMSCvHzfrxIBOeK0hqKeUBWV1vwgiKA0o0ba+LNYezI
+xhIA8Wk/khoOIN1zbZS9NPP7+gt+VtMsMU4UJOP3CYllclDkjwu0C8ptfleN+L/9
+R8tqgpJuuK2lHoLF97Oui9izMKF9eCzSNERmYFnMuS7zxoB3zFWs9ni2oUw+orde
+i2wlYp5NiAmoq7NMyTVoczIYLy1ndPrT07Qh1GVfwdd1bX1kN7i8hZEo4ligIgMu
+cXn1dKHrE17xkX1Hde12stNFDSjmjGdaX/sVljCiz7s9CJSeXZ2aKs+DIof1sZha
+8vG3HAekeD+9csurQOvK4JWifL2C1Rmq6f+9wpUvhv6tvaubGY82VmnfTsrjx9T4
+B+ZGJJB8ktcKvu1Uc2w7WOigLICI6iim9lU7Ot27l4c+eDbUO0bf5NnlJeQTa+Q6
+BHNmy5l+uuvL3PHl/BAlqYa4IvJPBMLl/H5AugbCBx40kSYo50AJdZ2Kt7bpXcoq
+Ex78gFLriFziYYUjqJaNx1DjeTvYE+hCDR2M5DTd3PO2PCeGVpe5IZpPaNusdwg6
+ubreTpWCZft3O1tJoyui4qEChGKVjV5juZIHNhdrXnnW8q+gzIfm221CQHG3R3zX
+YtRHhVTOurQrR3VpbGhlbSBNb3VsaW4gPGd1aWxoZW0ubW91bGluQGNoYWxtZXJz
+LnNlPokCHwQwAQoACQUCV35wugIdIAAKCRA5J42oEJ5iRFB7D/44uGGQbYaxwWo9
+mfzpkS2T3EVpwPzTasuEHB4E4prpP2UYjJP3f0i18K+rVYReHqp8LOXVQvg2HMsr
+EOHoSvdhuZq56glXWyTslCAOQGTc/AbFj/K2C72PhzoaS6Oq5hM4AW6ilMSGbEPR
+rr/Ys7oMhuLv0dlVYOZpcALeDO4c4sXK/XJnAOJgCbHPD+Miw+JSKZzMfQKmNenY
+9vN60zm1ipQDBwt9Z93h8FD+krh/QQYRiVQtIfYhgKw8/xdeVJbL51AYnPkSE7Ld
+6q4rIDASU/9BN1PN1vdhadTBCKd0CxZHfK7332qRdY1wKDHsoe0uVS2S1pUNFHtq
+0FPK7kkJNk5TrPaST1/lwwF1raZxfwMVVHvZnfOvbs0d+rEq6MRqjjfHxYrksXF6
+MLSueddRo+KpGO6FlPI3vRnfDAi0WSdENWAzfEaz3K/ZuodaTzwy35Dg3wxGwHxD
+Y/b11XRwBHjn//Z1hBhw+2Rw7iIFSYMikpMVSZqNDDOcXJ2UXT49f9c3SC7xXz1U
+qJqtvxgS5He1D7pNUP0mrOsETsk4W3cl15Z1tlb6iiWkrK9ZSLIWBxOZSWp5YxVh
+MLssbMAzW3blyKZzAn12Am3ap40Pb0KJBA4cUHKV/Gj3JnSP9CDr0kTerlJKeIga
+wRSc+84HpHHPc/xVxbwFHyzfFN7C+bQrR3VpbGhlbSBNb3VsaW4gPGd1aWxoZW0u
+bW91bGluQGZyaXBvc3Qub3JnPokCUQQwAQoAOwUCVmx7AjQdAFN1YnN1bWVkIGJ5
+ICJHdWlsaGVtIE1vdWxpbiA8Z3VpbGhlbUBmcmlwb3N0Lm9yZz4iAAoJEDknjagQ
+nmJESF0QALfe4R+HP+L8ScT4msHjhc6bqlJkckaYO4An7mNUe7IEMoRirYET226x
+9Ftc6PGPIaUPTg+xE/t2c8Jx3a929/kHeDE2VRqn8ANYICphDKF/W+Drviw/fKd6
+GXUV5okQn9cBThGvJVWYGAADjXMmsLX1lHRSuOL1XbOwj19TGkL+jk2ngP1cmFvV
+ZoUdYK9KWBiZwliZCOCn8d723HTg+c/DTuOlUNKH27Vs4m595eYIaZ3u4HwHZsMB
+nlBR0gvS285lSWx4j4FUGFWK/MYktDDIJuTRUuNiKUMKHZ9wO72l1Tv7M4JXRlPT
+5mK/vZKqZABx8jhSsFr1k+e5P0Z8LfpUZYS0LJgR0zflqEZkloWusOmv1TWXq9MD
+dLfRLsEe58sj2iwmEIxXQX2yPiy7J09L3vDcLJl2l/6Oz6U0xEEyc9jN/QdXcsMK
+WcrtkCY4imUHDulzBoPtusIqYoccHPTkxoENRmEWtcTp7iZthhY8IxUpbFW/V92U
+WsVw87Z6MkYiwSxgeVtLxYPd8qdMAYQY3ehFStoNJnJR03PW+CZwGsIp1EntL0K1
+huC8yq23N4rfUkV56EDQjDUWeEGbmwY5knYF1SMWD1eftXDhs8HeuqrPJ7MgHK8Z
++PmcCsOjl472gaNnf6unGASbSZ47mXMH35amLnIKwI1w4E0GoUbKtCxHdWlsaGVt
+IE1vdWxpbiA8Z3VpbGhlbS5tb3VsaW5AZW5zLWx5b24ub3JnPokCVAQTAQoAPgIb
+AQULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBHQg34a84VpFjc6ZdjknjagQnmJE
+BQJdkJ7ABQkRN9JaAAoJEDknjagQnmJEP4EP/Rn1ImI75n/owCQGMdqiOfZpcXv3
+wYnhME/3vAnxBoTvyLeVRAzEycUFTSl/Pzc8Ncu/WfmZ7eDDXKtgFIdNxJPAwz8k
+PxQNwscs6NcYFbSa/M95uA6fAVmqlgdyHOibSm5ZuhxI3TZqxgiWbEoCI2IpeW/p
+6tc6HW74CYhK+xjYsmVpuqBkDoYKdQ0o/inpI7IqC2lozs1h1FuPzPr05Dd/nO4/
+abDK7XpdXIPvg8dwsYskAz4nDMLvxSZibmVqZ/qoRTOZRVQtEI2QLCcMrg5xzjpM
+MYrq1cxtKm9qcttYveL/E4f/0kZqJ8st1AgHBAHe8VQHcq+JD57wyJSUPo7CRaUT
+gZIDt7lDdxWdCEZs+oGIx6HR4DkdrpndYrEn7JGDpwb3SkuSA/PpHS0otS1rc2It
+C4sMcpplG4zpEcz3PpOWFRbjRoL/XXQX1p/1gQYDt0cjF5Q5YPB8+JxluahQR2Tx
+RIdHiJphl/ctQbQtO5/e2/GkEvrlIBl1ymFrnXiQlPa9zaWJPz5iYEdoYwGFcqT8
+q8KXhDUkrZ/j4857ztOuJJmI1BlZ4e10zjfDBHKOh389D+RJ3MrHkXhvvwxbyy+A
+LHqF5HV/BUz/d9ZLC6sXjcUjMMLOelT9odSN9iuNlLi/W+Pd1Rj5Qgylvz8AfILH
+iphNiwR2Ik+AsX1MtCRHdWlsaGVtIE1vdWxpbiA8Z3VpbGhlbUBndWlsaGVtLm9y
+Zz6JAlQEEwEKAD4CGwEFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQR0IN+GvOFa
+RY3OmXY5J42oEJ5iRAUCXZCewAUJETfSWgAKCRA5J42oEJ5iRJC0D/wK7yX/AdmI
+6Bo+r7/H3iDn3WoNNjIybfgnTsQ0k0DtMVim8LbjEhfUQXGhZOJh6MmG5IG+6ixM
+Ih4VjPlyia53L6mHO+PNA6M4+VyeCErboBl8OfURzAmPBLA0PkojO2o4gDD8k6aD
+VVyNUjrGG7cFQbMemlFda59BHt0quuP+9b7HPfPqaLmBJ0uWPhhRfTqT5QBV7dx8
+bVHxg4knEHSCoXXr9gqDoF6ze+ogNEC4eCKYB1mlpNPSPPu6UTB093gMPkakmfvZ
+IOjr3xHo9PspeQOX5zMSrFAlzQQirobLarO1Q1rUQJMuqZWSiqgu86W9quTaWlUG
+BJbJOJQLHvNfbPVmuxZSs9kKbFpBxccF6/VkVgCvQ2qd+aCgyZbgimi2BAtY21Dw
+rr9NpG1wopJ6WmyjbFF7q6LHXiMr+zwSnce1OY8slT2Olv+woHTkz9QEW3o8jBRZ
+8cQkIIbnqP4oO79gzI8r0Vf2P9sKh41roBKR9jNqagKkQS7c/7bqzzMfWLItlv+0
+8ayaNYfvBi9jLCMKmzPE0trrZIOscRMlugRxGewcCkFSG5tXZCk0xN6h/861ON3F
+qagbD28ZMyXyyezTTxBcNsMSMpTKI9ZuBQN5oRtO06Krjn5LaBmOtRfQthchZ/eV
+lXCI5I4fwS3x82stlDejHgUQ2gCyaJ0kfbQoR3VpbGhlbSBNb3VsaW4gPGd1aWxo
+ZW1AbGlicmVvZmZpY2Uub3JnPokCUwQTAQoAPQIbAQQLCQgHBRUKCQgLBRYCAwEA
+Ah4BAheAFiEEdCDfhrzhWkWNzpl2OSeNqBCeYkQFAl2QnsEFCRE30loACgkQOSeN
+qBCeYkSsfg//da0Uj/vsNFmfVpv0JcRUVyxX1MRCOHcVwNQPW+NgpipELQ5lY9+y
+ti2XG6y3JG05QUs2ygOOyDqQQSIXzrMphKQIvG5cay9w2f7BHjB08X/pIJzqP/cs
+FK26i13uvLch/BFMzZ8jKaw2ArdOcBqG7RwZZCZKC6EeEZqBxDbK6GyE0tB/8j0W
+RE9FfT7lrBBHOh83PYfP0bELCOXFaGwxci9e/y2cFJbB07Xb/jFHQCLg28xvNRBi
+JPi/+5agOI4tENMGXfIlNRtfIo652w1vjA4/6bB5LZ+A2nyZb3jtatIU3QSZwsk1
+W/n7scGOaJ8MEqyD4wLLOwdqmFjwzMz3dfp9CHhN8H/X0uvZActH6FXzfvulg8RE
+rMJHOE1DzxuaNnfXxHB/pejruyp27UF/OCi1NAd/x5vpM7QrIR8s9T24WEXZOD11
+aNNqrYsrZVSG3QGx5s/kJckHBgxrxRSpLKMOwPhXtp9VPNJpWiFtM3a0AcH3VjuU
+cXMRjG/PAFjEC6/ymXpO6xJDDKg3iD1sKk2pe8m36NHgMkT8yHe0yYF3qdC99aFN
+l1kH0S1KEAXj7nxrUFYqbTvhc4saHojHItRCE4PjpOvrAehg8bcZ58tmPeVmo+lz
+qoQAmHpnaXV612NdyshK85b5dt7kSA5+nw46wrrSZqz/3NSEmvMUA+q0I0d1aWxo
+ZW0gTW91bGluIDxndWlsaGVtQGRlYmlhbi5vcmc+iQJTBBMBCgA9AhsBBAsJCAcF
+FQoJCAsFFgIDAQACHgECF4AWIQR0IN+GvOFaRY3OmXY5J42oEJ5iRAUCXZCewQUJ
+ETfSWgAKCRA5J42oEJ5iRLncEACgG5hc4Rj713tUjISVbox76suWaks8Fs77OFQA
+WIbu21yzLiTwhnU4as8cSGN0x/FUsWSpfAxtSsYlUtFaPfT4nxT5IthYZ2PL6RYc
+w0KqUGc5RQ7MrOv0a1nT21Ac83kzsiwXFN1ZzqL5BpJwno2boBFwfDftp7bpctCf
+yPG/Pq2IYZPtggiWbCXr+3gbdqY6DIf2EosBXtfovDSFJ1PzdEEpA4Et2i8PQo2Q
++PxcDlLrlp7EIaIR9HINTYtOAHQ203bHyV0wkSiMSocAK1q59YaSKFXkzaL6UhvX
+/YMNkI096UgP642nDrF/G3zzQ8cTJ8wGjjYDx+SLC+JUJwwG8eMO22JR14w9adyR
+W0gi0i87Dyer6LoAGqBVPqmxrnEME/zZN7J9V5EKmGARWuxVKZ5NamGLn8czMBiE
+TQLgf2truHd8wERHZ7CjOM2X4Buqx1rHHSouL7S/gRf+XnvtU/kc2fj9VtEJpB8f
+WcDXHKnm206+w8JTSVti6vOpWmTo8iO9Vcdi/NiKOwNg8DNITtcIxLgI54H1AP3y
+7f1IUuKaDB/ITveSUBRqVtVEWlNUy9pbVqOJrAIjl7E9ouRu/QwTKM7XcWn3aJNa
+oQje1U24k3B4hhiPPcM/K2YwF8fnU+LOW/uvpF5cWWWELEsR+B47EnS0dX5SfVCw
++Xl8rLkCDQRQlyERARAAzi+R39PEKV7sLncMEvWHQTTGSUNRSD4hEOhB+PVhOUmj
+DSwglgGDZ4wfjKmmmgHREIGSan6bXOXW38Iepc+XB3NuGgMZHgo55mmRJydDqFC2
+HP41Cruu91mOkOyTLbyg4lM7efi24xc3BPuxV4uFsEKaHUdhRTqiETxRTXqQCooq
+UeWsDZdc7uJUtdV70T7H8n/YHRtJnCue1r8QZP03Vzuav0KXB2ad4aqTAYeZz4C0
+bqfJI2NYEKbZc/6ECsA1nEGf4t5M5boWgYAQELHuHPMl++mWAHGQkwlfk2MEPFRM
+SU5+8O8V5H70fc5eOpEhz99AOFKnskvOssMiTi5yA0Hy9KXLFS0h95KY8afsQdc8
+uTwjwcnaFz6/9EEAN8b1I9e74eXkSaSLHxyb53EsiX8nVEvYPDw0Eq2bgc/OXiR3
+07JCqdPZAfRiTKt2PQyFSuvf9wHO5XFYHTEet4zU2ViQRoEWYqcohm3gGrU0OmOQ
+p4AyW2QIAbHy4K1KP3GLmy7tLl5a9Vzra5EvCtxnyBzSN5Ca2vyWTzh41yf++8fq
+BMoV/zvRz1nZ9MbajNXMPuf2wFLxLzDV8vB5TPmf1P5PQtkS/Tie6x57LpeS1bJl
+0vs+8MdWAvnpxFX6L3lIq3r7oXnlJceO5VapMkdm9eH1adpr4Ef/zt7B2k98s5MA
+EQEAAYkEWwQYAQoAJgIbAhYhBHQg34a84VpFjc6ZdjknjagQnmJEBQJdkJmsBQkR
+N8ybAinBXSAEGQEIAAYFAlCXIREACgkQ05pJnDwhpVJVhhAAhoyf+ONzqGNacWB1
+kWQlmuyPmraoLiGk9hY/TRr9g6g4VHqRffmaW+iqUmBKb4xiRkAZ+YEftruDudsH
+yJsVyw181mkHLvPLf4wc/Ywaz+O5rY+/jO52w5T+Yx5zxVbuHnL1Z2YqINvbPWrU
+a9s77/PTN1Rf0f+Ey3yNtjeIXiRu1a29zCT+xR8YVSIp+HmzKWenpB9ow6Mfvwxq
+AjjxdbU9AUJkuYxXF3PZYzuK960bvck2ki3q4mFL0LAF0pHJEwvnbgfDgzJwWZz7
+AVP6M9k620Z9cF6+RMXHkrMmpyWAvoOpBHRZGCPmRDnwdumqiGZcTArWcSTOy35P
+i3CQYUW6nM4/Tz9nNHLmh6xqTmXpmsgX6zKE6JmVi/GO9JzZw5xQqdcSlvpnMvdk
++RJu6C0OGlZOv7AQcv1rDaAhHQ+RjfTF9ooCrfwyOiJt/T3PJQi1YQUx88jVa9GQ
+3fwbuZrH9zyo4y3FWewMehU2NG1NHCgPCYvQi/TMXN/cxJfkeqLIjsoVascIquDd
+pV5n7aI7bkqtuz/gqy0FpPFhcdpfytpVbCiGjy6W7OOcK2QHf+Kt3z6jCYxQd/SJ
+8MRggqpc+zVvOB+l562VEZL2Vs7ULv0ClR5pgSO0w7nR3AixKk7pqFatjrjSSWde
+1PU0P2d8CjZ+ZQ+5f//nv1AxfJ4JEDknjagQnmJEdC4P/jCONLKYeORoY+PM90YV
+CVmPb1TvZNdhz7bmtL11Kp0q7pcgvUx24iNyxBG3KFE1QKxJFde+KV+1qsuAFYAJ
+Cq9K18S7Rd+eVq7FYuviQVsU/SM/LzLpuNnSw8rSCWiy87ABxp1wdva/JKkXkQgd
+OZ+KmISMJQyifiIDDG7AxhTzdwjK+X4Lc2hZkPrtP4OkuMrSjOKWARTh+2lc/V8N
+5JAjeM/IZE0hdKqbvNF7gIrSkuvr1hA1KRD/4s9FkDjMSjEw/m4esFn/lBsBIBUA
+Qq+RaE8SCX8WbL9nuw9ga4H7ACzjvVqXkCPOKhdByz04MJZIyQ14Dzbk0IDNjkru
+nNnjAcdx7xORm4X0FK5AZSO5ytfwMznvwtCAWhp2vVatRaqVgf6+NuVXLp6sseVM
+HhTjuQFPExUDzP4fogrIW9NyLBMe6S7NSVhFk7OeiHC/QF1deWWBlfzknJ1oyIID
+bUUYlVUGPyUQgRlBazXPxKIVhXcJ0k2sHu3rUEpdu8aa9nU9vdMrqgLHvcDqwylp
+q3iFLu7wjn1SUOra7BLUVnTJRKy5ie3X4RYCaq1jzgE19KyoDI5amIt4YgMj160z
+8F/ycEiVGj2bcwMus+fyHQo6TkYDTudW5hcLyH1XkpXIVNx5WuoMyJWSXwIrEq96
+e2oWfvwOesN3w08V+HWPd5mRuQINBFCXIWkBEADYqxLU/iHbhzsFh0uRw4XwVhaw
+mUsWSXycQp9bn+aDG9oTb/VYgQDpHEwEX3uba4qCSeOdV9Vs2aksz7xI4wNUFjrI
+IpzkPJth1bu2qbUYtezgq0HMuS2w/BbnuoNbvBTKl5vEjE1/AmLyP9tMpSZjBIqP
+KdxtkK0np3NOxjd00Dj+YceRKa2SZU0ueqh+VQyzfaTfupMMNuI0DpN1Q6rjr2is
+HvU0qbHKTwQ6TKyHwRMXC/pMdRr6ef6WL41NAGZlzq/7fybEQW7qAx+c5fc6Q1L9
+DRPXZwcAzntBz3foameDWlS2Te3dB1FH3WpuwvrzAGQr7Xpx2GXn5UWim2MUYkwX
+ACH/t1baz3SrtpUwIST1x6KG5jmzoRlTuvvRVvgtzLAYZn3UPCmvJfYog7A0vVRg
+f0ryBNE32ZPIevRNJT/SVDJIpt0JARzVdKpkQG8eKnH1EHngQDEnBCPYOrL3rOxN
+OVqoWBy2DUkHpvhCnowND1W+t3ya/rXEzfEq3SOc34T/wcclGJdJtkTS417ix1ix
+eEl7IbDqv5i3vXKpPk+O6t30Sk5QZpQu+fanlJJAjZStZJn1bbNFOx8X1r738STk
+6mhqT8+8Z/4ciFG7fnH4AQW+mAZJ8Zndvz7PvVwj+GVw49utmwDzCChHgSwDl+eU
+WJE6Ig01JoszE7zXHwARAQABiQI8BBgBCgAmAhsMFiEEdCDfhrzhWkWNzpl2OSeN
+qBCeYkQFAl2QmbgFCRE3zEMACgkQOSeNqBCeYkToJA/+LgryFWW746I7i2Zc3JOU
+Y9y8rBb+c+ZY54aBQYJO0QQ3las3pxgbLDuRL8IyF0DKAxTw0GbOgFDnORZuI51f
+Q49ND7I673aPX+f5tHgEwpR53DtRjdhqQ1RHzZ4sXjUQiEPSd/NgbSi/Rw8I3ROh
+O4bFDtS0go3bw98vLY1dtsS3oAnSKddUZPV4bEUbsnuoaOm1G938Y78lvvfeR4NE
+P5GV3kW7Sm2ZoKA3P2d2t0ZWXJMNJD2k0sTNozz9cbQfGjdKAF6uwg4RAULEbKrV
+IOhkzqyQDzd3y8wTARbQBxl5Ox/q06qxVwNkk9mY+plgJIh4OJutJjE2ghSWH/kw
+6Tht0RUiH0pWRq7GFALmJzQBq4UbGe/rhbvy3GeFBQQkxXfg8p0y1SZSKXe6vOHB
+TzaRlnr9IhFyZqASokSVaPmvR9oHCQEjP/cBQR2sRQm4gqKMHr7gIb1DmIxrewJB
+vGJGuoF8+cwPGxA5kZXUDGzSJScm/zU9w70voHJ62onFEth4iI93S6ssinNu7sOo
+V91FFLZ89xvzCCslX1VDGRcUaxB0AKET5ahQOnB7nEGv6v6yFhrlVGS+93ryseel
+frEG3yBwdjhYO8JGrIA5HJP8Q6sqo747sq5UfVc+8eRZotPfjykuouCe646uvwB6
+lEqmVWVRUYtqmZpHLjim4zS5Ag0EUJchrwEQALOrqpCPddr8PPTdRBmSGorqwdmk
+TUHPNRd36VbQJPJt0/8ZAJh6J5KZo9Bzv0nE07Iwcz5bev7iCM9dTR0UaLj7zlS+
+VwFbdUmjfxie8iIlZB4l3pmKXShag9zJTYyt/0HUU3RytJoiGigsVX1O/qNSM+QW
+xrPGsIg8YmRSbQ3PwOsc4udEAqL2/pZni+raf/TAS8SQbJHm2K9ebHSQ8ZBbvap0
+ACKZ8ePNGYwW9BAC//ucQ6vPrDxNn7i1IOpERhHcquNQ/6qzre8VYmHok65CFLey
+zCdVb/QXrk/rp4bl/ZurgjJ22WUJ97AFaKo1rgMpoKVzGXEKfSbvQ9Tb0BX+f9Ws
+6GvX5bH22RbQKVpzH2I/IKhoRIUsJkPPqX90YDwLhqc188gVmfKx9SW70MwqYY9o
+ms0RXMuxmdwioWYHE5wChNZQocnHb2fnwuAmoZzRj7IZzcsZvYPpT6Ld/dKWVnIM
+WaZ3vsQx4yF2morULH0Yrb4wrXzK1vASDRgW9G2Im/y7woZn609r3LNA2ELioEHF
+j1hQyd1wqgIRXDvs9ltM4xZusEO7McS9yF/Ywm8EjWaWznabD/OOo8ul1NzR2sKi
+qojCyOgcPYp4udK0e7+4FntKEiallyuFQjbA6RGzZsnsJ28Uyb3qfQCQJyzRL+cT
+dlCM92EwfgHVnJPXABEBAAGJAjwEGAEKACYCGyAWIQR0IN+GvOFaRY3OmXY5J42o
+EJ5iRAUCXZCZuAUJETfL/QAKCRA5J42oEJ5iREW1D/9k29b863oG1q1nx11AanNN
+uquJ0MVqHEQQx/enoYHG55IrRvtx5tZ/sHXzSEM+hY6YX4SkpGhrxNl2mFpevp65
+n5cmzMsHfscT4U91NkzALoeSkfuDksp2zfi+90F+iiEwst+Btj9tChk5AWkBC7vJ
+RorL+n4ZcdCZ89YCKC2YNg/lLQuYYbZO6TcF/5nt1fbfgyEo3MyIvtmfl2Un2n6W
+RwWBhIVtjrptjn+9jd0AV5kHwgYHL15DO4swlJKEbNDjA++yQ8FKH0T7tsmkZXlp
+mLA2Rc905wgnKwwgde/Bfaw+ssQV9ZW7UBcjb53kxC2r8uPaleR80yjBBCISVp+8
+OzD+Im+Le+N/qPzP214GwsBm/uJNH1hjhtiGuCSDPYWhrKBsqBxfhiYXeCOv2nx9
+5uwyQ2KVWDmye/5nFIQW0GcPyWTdloXUPRZYMtiL6hkHmF0SSwqrwm1sTbmb888Q
+qcku1lwBD2lTAFbgp4P0EZ8mXPsDyB24Z5UH4CgWv1hOGpU37T6NIHWaX8uUyPhT
+4mIKIZ3Z6/dmnT4qE+Pric2epTMKTUXEovwYPff9Kz3ByvEA8rHJSMkVI8Pvyyao
+BlCCKxX0EOiDLZ7c950YpuaH+Q7G67v4i1O8KmutwLmrk4Hb7uOQehz0V0Ue3Us/
+n+OxhhD1zJxbBrRR+vtDH7gzBFd+ceAWCSsGAQQB2kcPAQEHQP43gROo1fKfPOpX
+g3CvCe3a3xd4AuJxSkTk0vs/+YDyiQI8BBgBCgAmAhsgFiEEdCDfhrzhWkWNzpl2
+OSeNqBCeYkQFAl2QmbgFCQpQe8wACgkQOSeNqBCeYkRO2w/8Dd3Z/a7Y9wjRHklB
+5QHoMiv2zcBV4B4wTA5RHce6+NPnkK5CV8K7oP1RKvu8aWSfSgyD+Nu5f85gRY1c
+NpLQmGZrsAX/tBVbVIuB2/4aI6RFf30YLl7WuhonCf85czs5sBcRwIW1SCkgQI30
+0wkTyAVkMRT9hxsHh4up7XclxHi0RZXtqtyHRFXMD4GjD8BbXsmhKqeg6LNhrQZD
+OO4EPQa3+nAEeYtmeGCkBw/w66QGcBFzsGWgojfJpeYbjEnL2CdkpeGrnDxrk9lB
+TeUG8VV2D/rC6ueZ5D9uqRgqp/JuobmAnuoFqdqjo/BYp6SuzdXMQcg+tI6TrVAU
+RY5AIeUPr5Qqs0PuXq8pTF0reBkTQeQ6MlBQWhuss3W2QhXWiGM9iP6hJTky7cEg
+Zq6ysU8S9raXk1QtqOyV9FCW22ItGrwQT+xsPkrLWRyqaRbHILI+1lLLFTmWjnsW
+7GJ586VBedAo5lI8bvW4zr2sA6hxmlf0c/wx5L4fMhwPBw1Q3fCj+UhU1kA97kVn
+aWUlY8E8Q7rVYr3ga8acxSMVSqBgFKLqWbaWuwTGAP37ARKgpyz7tlFRd34mm04J
+nIRjBn08lLwMSW/CtK/jxwl9vouGQ9dgtRqvPSfOKYjJQTEwLzdlESD0yCbqF+lJ
+GJEHV3ge20qUwbV/0n1xVgRnKAM=
+=R/AC
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..518a123
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,3 @@
+version=4
+opts="mode=git,pgpmode=gittag" \
+https://git.guilhem.org/lacme/ refs/tags/v([\d\.]+)