From 5a622e45e3b85282c9d0c8de42c0c4f3887c0a6b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sat, 28 Dec 2024 22:37:19 +0000 Subject: [PATCH] Deploy to GitHub pages --- CNAME | 1 + a-haskellian-blog.html | 269 +++++++++++++ atom.xml | 383 +++++++++++++++++++ css/code.css | 1 + favicon.ico | Bin 0 -> 4710 bytes images/conditional-finality.png | Bin 0 -> 43791 bytes index.html | 220 +++++++++++ nix-automatic-hash-updates-made-easy.html | 435 ++++++++++++++++++++++ out/bundle.css | 1 + out/bundle.js | 1 + robots.txt | 2 + rss.xml | 383 +++++++++++++++++++ sitemap.xml | 23 ++ 13 files changed, 1719 insertions(+) create mode 100644 CNAME create mode 100644 a-haskellian-blog.html create mode 100644 atom.xml create mode 100644 css/code.css create mode 100644 favicon.ico create mode 100644 images/conditional-finality.png create mode 100644 index.html create mode 100644 nix-automatic-hash-updates-made-easy.html create mode 100644 out/bundle.css create mode 100644 out/bundle.js create mode 100644 robots.txt create mode 100644 rss.xml create mode 100644 sitemap.xml diff --git a/CNAME b/CNAME new file mode 100644 index 0000000..4f7e6a8 --- /dev/null +++ b/CNAME @@ -0,0 +1 @@ +blog.youwen.dev diff --git a/a-haskellian-blog.html b/a-haskellian-blog.html new file mode 100644 index 0000000..6722cf4 --- /dev/null +++ b/a-haskellian-blog.html @@ -0,0 +1,269 @@ + + + + a haskellian blog | conditional finality + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+

+ Conditional Finality. +

+
+
+

+ a web-log about computers, math, hacks, and all the rest. +

+ by Youwen Wu + | + + | + +
+
+
+

+ a haskellian blog +

+

+ a purely functional...blog? +

+
2024-05-25
+
+ (last updated: 2024-05-25T12:00:00Z) +
+
+

Welcome! This is the first post on conditional finality and also one that tests all +of the features.

+

conditional finality

+
+

A monad is just a monoid in the category of endofunctors, what’s the problem?

+
+

haskell?

+

This entire blog is generated with hakyll. It’s +a library for generating static sites for Haskell, a purely functional +programming language. It’s a library because it doesn’t come with as many +batteries included as tools like Hugo or Astro. You set up most of the site +yourself by calling the library from Haskell.

+

Here’s a brief excerpt:

+
main :: IO ()
+main = hakyllWith config $ do
+    forM_
+        [ "CNAME"
+        , "favicon.ico"
+        , "robots.txt"
+        , "_config.yml"
+        , "images/*"
+        , "out/*"
+        , "fonts/*"
+        ]
+        $ \f -> match f $ do
+            route idRoute
+            compile copyFileCompiler
+

The code highlighting is also generated by hakyll.

+
+

why?

+

Haskell is a purely functional language with no mutable state. Its syntax +actually makes it pretty elegant for declaring routes and “rendering” pipelines.

+
    +
  1. Haskell is cool.
  2. +
  3. It comes with enough features that I don’t feel like I have to build +everything from scratch.
  4. +
  5. It comes with Pandoc, a Haskell library for converting between markdown +formats. It’s probably more powerful than anything you could do in nodejs. +It renders all of the markdown to HTML as well as the math. +
      +
    1. It supports KaTeX as well as MathML. I’m a little disappointed with the +KaTeX though. It doesn’t directly render it, but simply injects the KaTeX +files and renders it client-side.
    2. +
  6. +
+

speaking of math

+

We can have math inline, like so: +ex2dx=π\int_{-\infty}^\infty \, e^{-x^2}\,dx = \sqrt{\pi}. This site ships semantic +MathML math with its HTML, and the MathJax script to the client.

+

It’d be nice if MathML could just be used and supported across all browsers, but +unfortunately we still aren’t quite there yet. Firefox is the only one where +everything looks 80% of the way to LaTeX. On Safari and Chrome, even simple +equations like π\sqrt{\pi} render improperly.

+

Pros of MathML:

+ +

Cons:

+ +

This site has MathJax render all of the math so it looks nice and standardized +across browsers, but the math still displays regardless (like say if MathJax +couldn’t load due to slow network) because of MathML. Best of both worlds.

+

Let’s try it now. Here’s a simple theorem:

+

an+bncn{a,b,c}n3 +a^n + b^n \ne c^n \, \forall\,\left\{ a,\,b,\,c \right\} \in \mathbb{Z} \land n \ge 3 +

+

The proof is trivial and will be left as an exercise to the reader.

+

seems a little overengineered

+

Probably is. Not as much as the old one, though.

+
+ + + + + diff --git a/atom.xml b/atom.xml new file mode 100644 index 0000000..39628e0 --- /dev/null +++ b/atom.xml @@ -0,0 +1,383 @@ + + + conditional finality + + + https://blog.youwen.dev/atom.xml + + Youwen Wu + youwenw@gmail.com + + 2024-12-28T00:00:00Z + + Nix automatic hash updates made easy + + https://blog.youwen.dev/nix-automatic-hash-updates-made-easy.html + 2024-12-28T00:00:00Z + 2024-12-28T00:00:00Z + +
+

+ Nix automatic hash updates made easy +

+

+ keep your flakes up to date +

+
2024-12-28
+
+ +
+
+

Nix users often create flakes to package software out of tree, like this Zen +Browser flake I’ve been +maintaining. Keeping them up to date is a hassle though, since you have to +update the Subresource Integrity (SRI) hashes that Nix uses to ensure +reproducibility.

+

Here’s a neat method I’ve been using to cleanly handle automatic hash updates. +I use Nushell to easily work with data, prefetch +some hashes, and put it all in a JSON file that can be read by Nix at build +time.

+

First, let’s create a file called update.nu. At the top, place this shebang:

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+

This will execute the script in a Nushell environment, which is fetched by Nix.

+

Get the up to date URLs

+

We need to obtain the latest version of whatever software we want to update. +In this case, I’ll use GitHub releases as my source of truth.

+

You can use the GitHub API to fetch metadata about all the releases of a repository.

+
https://api.github.com/repos/($repo)/releases
+

Roughly speaking, the raw JSON returned by the GitHub releases API looks something like:

+
[
+   {tag_name: "foo", prerelease: false, ...},
+   {tag_name: "bar", prerelease: true, ...},
+   {tag_name: "foobar", prerelease: false, ...},
+]
+
+

Note that the ordering of the objects in the array is chronological.

+
+

Even if you aren’t using GitHub releases, as long as there is a reliable way to +programmatically fetch the latest download URLs of whatever software you’re +packaging, you can adapt this approach for your specific case.

+
+

We use Nushell’s http get to make a network request. Nushell will +automatically detect and parse the JSON reponse into a Nushell table.

+

In my case, Zen Browser frequently publishes prerelease “twilight” builds which +we don’t want to update to. So, we ignore any releases tagged “twilight” or +marked “prerelease” by filtering them out with the where selector.

+

Finally, we retrieve the tag name of the item at the first index, which would +be the latest release (since the JSON array was chronologically sorted).

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+
+# get the latest tag of the latest release that isn't a prerelease
+def get_latest_release [repo: string] {
+  try {
+	http get $"https://api.github.com/repos/($repo)/releases"
+	  | where prerelease == false
+	  | where tag_name != "twilight"
+	  | get tag_name
+	  | get 0
+  } catch { |err| $"Failed to fetch latest release, aborting: ($err.msg)" }
+}
+

Prefetching SRI hashes

+

Now that we have the latest tags, we can easily obtain the latest download URLs, which are of the form:

+
https://github.com/zen-browser/desktop/releases/download/$tag/zen.linux-x86_64.tar.bz2
+https://github.com/zen-browser/desktop/releases/download/$tag/zen.aarch64-x86_64.tar.bz2
+

However, we still need the corresponding SRI hashes to pass to Nix.

+
src = fetchurl {
+   url = "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2";
+   hash = "sha256-00000000000000000000000000000000000000000000";
+};
+

The easiest way to obtain these new hashes is to update the URL and then set +the hash property to an empty string (""). Nix will spit out an hash mismatch +error with the correct hash. However, this is inconvenient for automated +command line scripting.

+

The Nix documentation mentions +nix-prefetch-url +as a way to obtain these hashes, but as usual, it doesn’t work quite right and +has also been replaced by a more powerful but underdocumented experimental +feature instead.

+

The nix store +prefetch-file +command does what nix-prefetch-url is supposed to do, but handles the caveats +that lead to the wrong hash being produced automatically.

+

Let’s write a Nushell function that outputs the SRI hash of the given URL. We +tell prefetch-file to output structured JSON that we can parse.

+

Since Nushell is a shell, we can directly invoke shell commands like usual, +and then process their output with pipes.

+
def get_nix_hash [url: string] {
+  nix store prefetch-file --hash-type sha256 --json $url | from json | get hash
+}
+

Cool! Now get_nix_hash can give us SRI hashes that look like this:

+
sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s=
+

Putting it all together

+

Now that we’re able to fetch the latest release, obtain the download URLs, and +compute their SRI hashes, we have all the information we need to make an +automated update. However, these URLs are typically hardcoded in our Nix +expressions. The question remains as to how to update these values.

+

A common way I’ve seen updates performed is using something like sed to +modify the Nix expressions in place. However, there’s actually a more +maintainable and easy to understand approach.

+

Let’s have our Nushell script generate the URLs and hashes and place them in a +JSON file! Then, we’ll be able to read the JSON file from Nix and obtain the +URL and hash.

+
def generate_sources [] {
+  let tag = get_latest_release "zen-browser/desktop"
+  let prev_sources = open ./sources.json
+
+  if $tag == $prev_sources.version {
+	# everything up to date
+	return $tag
+  }
+
+  # generate the download URLs with the new tag
+  let x86_64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-x86_64.tar.bz2"
+  let aarch64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-aarch64.tar.bz2"
+
+  # create a Nushell record that maps cleanly to JSON
+  let sources = {
+    # add a version field as well for convenience
+	version: $tag
+
+	x86_64-linux: {
+	  url:  $x86_64_url
+	  hash: (get_nix_hash $x86_64_url)
+	}
+	aarch64-linux: {
+	  url: $aarch64_url
+	  hash: (get_nix_hash $aarch64_url)
+	}
+  }
+
+  echo $sources | save --force "sources.json"
+
+  return $tag
+}
+

Running this script with

+
chmod +x ./update.nu
+./update.nu
+

gives us the file sources.json:

+
{
+  "version": "1.0.2-b.5",
+  "x86_64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2",
+    "hash": "sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s="
+  },
+  "aarch64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-aarch64.tar.bz2",
+    "hash": "sha256-NwIYylGal2QoWhWKtMhMkAAJQ6iNHfQOBZaxTXgvxAk="
+  }
+}
+

Now, let’s read this from Nix. My file organization looks like the following:

+
./
+| flake.nix
+| zen-browser-unwrapped.nix
+| ...other files...
+

zen-browser-unwrapped.nix contains the derivation for Zen Browser. Let’s add +version, url, and hash to its inputs:

+
{
+  stdenv,
+  fetchurl,
+  # add these below
+  version,
+  url,
+  hash,
+  ...
+}:
+stdenv.mkDerivation {
+   # inherit version from inputs
+  inherit version;
+  pname = "zen-browser-unwrapped";
+
+  src = fetchurl {
+    # inherit the URL and hash we obtain from the inputs
+    inherit url hash;
+  };
+}
+

Then in flake.nix, let’s provide the derivation with the data from sources.json:

+
let
+   supportedSystems = [
+     "x86_64-linux"
+     "aarch64-linux"
+   ];
+   forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+in
+{
+   # rest of file omitted for simplicity
+   packages = forAllSystems (
+     system:
+     let
+       pkgs = import nixpkgs { inherit system; };
+       # parse sources.json into a Nix attrset
+       sources = builtins.fromJSON (builtins.readFile ./sources.json);
+     in
+     rec {
+       zen-browser-unwrapped = pkgs.callPackage ./zen-browser-unwrapped.nix {
+         inherit (sources.${system}) hash url;
+         inherit (sources) version;
+
+         # if the above is difficult to understand, it is equivalent to the following:
+         hash = sources.${system}.hash;
+         url = sources.${system}.url;
+         version = sources.version;
+       };
+}
+

Now, running nix build .#zen-browser-unwrapped will be able to use the hashes +and URLs from sources.json to build the package!

+

Automating it in CI

+

We now have a script that can automatically fetch releases and generate hashes +and URLs, as well as a way for Nix to use the outputted JSON to build +derivations. All that’s left is to fully automate it using CI!

+

We are going to use GitHub actions for this, as it’s free and easy and you’re +probably already hosting on GitHub.

+

Ensure you’ve set up actions for your repo and given it sufficient permissions.

+

We’re gonna run it on a cron timer that checks for updates at 8 PM PST every day.

+

We use DeterminateSystems’ actions to help set up Nix. Then, we simply run our +update script. Since we made the script return the tag it fetched, we can store +it in a variable and then use it in our commit message.

+
name: Update to latest version, and update flake inputs
+
+on:
+  schedule:
+    - cron: "0 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Update flake inputs and browser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Check flake inputs
+        uses: DeterminateSystems/flake-checker-action@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check for update and perform update
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          chmod +x ./update.nu
+          export ZEN_LATEST_VER="$(./update.nu)"
+
+          git add -A
+          git commit -m "github-actions: update to $ZEN_LATEST_VER" || echo "Latest version is $ZEN_LATEST_VER, no updates found"
+
+          nix flake update --commit-lock-file
+
+          git push
+

Now, our repository will automatically check for and perform updates every day!

+ +]]>
+
+ + a haskellian blog + + https://blog.youwen.dev/a-haskellian-blog.html + 2024-05-25T00:00:00Z + 2024-05-25T12:00:00Z + +
+

+ a haskellian blog +

+

+ a purely functional...blog? +

+
2024-05-25
+
+ (last updated: 2024-05-25T12:00:00Z) +
+
+

Welcome! This is the first post on conditional finality and also one that tests all +of the features.

+

conditional finality

+
+

A monad is just a monoid in the category of endofunctors, what’s the problem?

+
+

haskell?

+

This entire blog is generated with hakyll. It’s +a library for generating static sites for Haskell, a purely functional +programming language. It’s a library because it doesn’t come with as many +batteries included as tools like Hugo or Astro. You set up most of the site +yourself by calling the library from Haskell.

+

Here’s a brief excerpt:

+
main :: IO ()
+main = hakyllWith config $ do
+    forM_
+        [ "CNAME"
+        , "favicon.ico"
+        , "robots.txt"
+        , "_config.yml"
+        , "images/*"
+        , "out/*"
+        , "fonts/*"
+        ]
+        $ \f -> match f $ do
+            route idRoute
+            compile copyFileCompiler
+

The code highlighting is also generated by hakyll.

+
+

why?

+

Haskell is a purely functional language with no mutable state. Its syntax +actually makes it pretty elegant for declaring routes and “rendering” pipelines.

+
    +
  1. Haskell is cool.
  2. +
  3. It comes with enough features that I don’t feel like I have to build +everything from scratch.
  4. +
  5. It comes with Pandoc, a Haskell library for converting between markdown +formats. It’s probably more powerful than anything you could do in nodejs. +It renders all of the markdown to HTML as well as the math. +
      +
    1. It supports KaTeX as well as MathML. I’m a little disappointed with the +KaTeX though. It doesn’t directly render it, but simply injects the KaTeX +files and renders it client-side.
    2. +
  6. +
+

speaking of math

+

We can have math inline, like so: +ex2dx=π\int_{-\infty}^\infty \, e^{-x^2}\,dx = \sqrt{\pi}. This site ships semantic +MathML math with its HTML, and the MathJax script to the client.

+

It’d be nice if MathML could just be used and supported across all browsers, but +unfortunately we still aren’t quite there yet. Firefox is the only one where +everything looks 80% of the way to LaTeX. On Safari and Chrome, even simple +equations like π\sqrt{\pi} render improperly.

+

Pros of MathML:

+
    +
  • A little more accessible
  • +
  • Can be rendered without additional stylesheets. I just installed the Latin +Modern font, but this isn’t even really necessary
  • +
  • Built-in to most browsers (#UseThePlatform)
  • +
+

Cons:

+
    +
  • Isn’t fully standardized. Might look different on different browsers
  • +
  • Rendering quality isn’t as good as KaTeX
  • +
+

This site has MathJax render all of the math so it looks nice and standardized +across browsers, but the math still displays regardless (like say if MathJax +couldn’t load due to slow network) because of MathML. Best of both worlds.

+

Let’s try it now. Here’s a simple theorem:

+

an+bncn{a,b,c}n3 +a^n + b^n \ne c^n \, \forall\,\left\{ a,\,b,\,c \right\} \in \mathbb{Z} \land n \ge 3 +

+

The proof is trivial and will be left as an exercise to the reader.

+

seems a little overengineered

+

Probably is. Not as much as the old one, though.

+ +]]>
+
+ +
diff --git a/css/code.css b/css/code.css new file mode 100644 index 0000000..9745de8 --- /dev/null +++ b/css/code.css @@ -0,0 +1 @@ +pre>code.sourceCode{white-space:pre;position:relative}pre>code.sourceCode>span{line-height:1.25}pre>code.sourceCode>span:empty{height:1.2em}.sourceCode{overflow:visible}code.sourceCode>span{color:inherit;text-decoration:inherit}div.sourceCode{margin:1em 0}pre.sourceCode{margin:0}@media screen{div.sourceCode{overflow:auto}}@media print{pre>code.sourceCode{white-space:pre-wrap}pre>code.sourceCode>span{text-indent:-5em;padding-left:5em}}pre.numberSource code{counter-reset:source-line 0}pre.numberSource code>span{position:relative;left:-4em;counter-increment:source-line}pre.numberSource code>span>a:first-child::before{content:counter(source-line);position:relative;left:-1em;text-align:right;vertical-align:baseline;border:none;display:inline-block;-webkit-touch-callout:none;-webkit-user-select:none;-khtml-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;padding:0 4px;width:4em;background-color:#232629;color:#7a7c7d}pre.numberSource{margin-left:3em;border-left:1px solid #7a7c7d;padding-left:4px}div.sourceCode{color:#cfcfc2;background-color:#232629}@media screen{pre>code.sourceCode>span>a:first-child::before{text-decoration:underline}}code span{color:#cfcfc2}code span.al{color:#95da4c;background-color:#4d1f24;font-weight:bold}code span.an{color:#3f8058}code span.at{color:#2980b9}code span.bn{color:#f67400}code span.bu{color:#7f8c8d}code span.cf{color:#fdbc4b;font-weight:bold}code span.ch{color:#3daee9}code span.cn{color:#27aeae;font-weight:bold}code span.co{color:#7a7c7d}code span.cv{color:#7f8c8d}code span.do{color:#a43340}code span.dt{color:#2980b9}code span.dv{color:#f67400}code span.er{color:#da4453;text-decoration:underline}code span.ex{color:#0099ff;font-weight:bold}code span.fl{color:#f67400}code span.fu{color:#8e44ad}code span.im{color:#27ae60}code span.in{color:#c45b00}code span.kw{color:#cfcfc2;font-weight:bold}code span.op{color:#cfcfc2}code span.ot{color:#27ae60}code span.pp{color:#27ae60}code span.re{color:#2980b9;background-color:#153042}code span.sc{color:#3daee9}code span.ss{color:#da4453}code span.st{color:#f44f4f}code span.va{color:#27aeae}code span.vs{color:#da4453}code span.wa{color:#da4453} \ No newline at end of file diff --git a/favicon.ico b/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..2096d33a82b7c8ece9fa79d568c4bcc833ffc4d9 GIT binary patch literal 4710 zcmW+)i93|-8y#yIWXh5(5yhvnR0{E-)Q2Qn(V{5H7KsvtjCCwA*6hZ_}rY*i92b!Zk%S*f#3%bKjn6b^CtHXaM- zWHbiG64YhL{PPIumofB<4k!P)f0sT?%8|6nC=BJY2knm==zsE}s5tsj3T9;F^vEi$ z{Pp?s=Y#YaW3PN{q;%9LPcK_lk;l zW-93{WKuoX5@h_d3}QnjvsLD)D(QhPI2)s~k8WxGSRvi0b3xNBF08p4Un={u@jerV zGK;55e}Dh{;-Wh&%(Bduy$Z~N(ey#`H`$XJ%-zKrn$VjP@Crj-x2>>+4y=k%v^RXv zj%G`l!>pr~Ihqu*=Mf=|((B8lM`TM3a`aHlJ=7Mmmh0&o;hwKb$ND>47ihSxu{Ojf*dD#C`;4!2 zU$xG$=Yl6iGMa#C=raAeK`W-Y?mk;)u)q4O5bHMRxEpX9RY=JP(Mz-ZIg4o(+hY3$ zdnM?`XohIBxnz^Ig&1Gjh~^XYzLhd(nD`e}UEWQbm4IEgA znk$TxFzZrZDXUE2h}@f##&|SX+T;Y;*FqgCOZaoE${tO!r4ZeRFzLim#`m*0L3=Rj zlBL^H{t^StSNvZ;!nRp{LUN(I^vJ%=lQ%d>k!`OO(R`Dm_hlZkZdQ$ko3d_BIF3p4 zz2q8RmT8YUsf&Cbr^12^UJaJrB&gj}ro>(ZEt)H1k6}GRKx?lng_t9Y%p_DbuB$=ZVbJ%cENVj>k48>r< z1p7S6xOp_2+jKco4&GgtVRW!u>xr25^^m3eI8+ilE0O1JVd>XH=uOCmT?Y#rJNa{0 z>db;pHOk)vy#`nE#ZPrPGQnL3*#PvBL3`wq8akQ2>22y>CM#wcFrtm@9WDGJ>zCr)r0xM`Wl5UR z^5CT%>Ox#m|N394`zqQ*GQlYQ0a&X&i)I3UlzPw<>8wg5PR3#_sVQAmmUm<(4{B($ zOvMoWUyf)3RZktsqZ4S${*wkzjD<;0bv83^SIU4GDv14FpWiTAvSgiUALC&RAeZVf zZmD|doQO$hvfK!rMV_={Nc3N$V;`U=Il{M4#;QG3vih%uCx%V19_k&5nYYBwax~MQ zs&dDek8GuhPH86f&J@wvbL52{Lp}ttm2c4h>0m3YDC^V;l9kUZK!_OOKar*>#S%ci9{o3_pT81uYJ; zij9~UmPdo`7)nS7PGna8e8E5nOE_sOJ+C-n#-YAeA(I#{&m&-`!Z46kTKbO%_RnM3 zHX3tQm`@_o2EqxleKcSKC%|lks)OqERN9``8be@XyGq!H!#0ZG>a6Y{*cxn9&rtSr@brKdhfH8n zhF&Ld6k#GNknv#@>g4ib=}obh78lXKuX1%~5oZ%v#~CtwmhIVMql^I;15Zc8Atvmi zpH&i*V-%xSwtB#+SbD-4oGh4!@%v4(=7^M>ca;6Aa0aWywq*`Ryg9>{6s4F8%*1|B zgbn(XDg{>N_dfJUoqKiP_vKjf8$H5(Oe1Yt9WdJg$rdrs2k-&nhOMn*z2T%|L@ z%{%=pI`3e*RyuFWWT`X+{-9isa56VwN$S!gNYQqZopg6i`4EnQJH=lK9jy;()fA6? zqS<(cHD3Egd$Z#!jht9R(s`ShPpyr?b}hr-#*v&@XQ8JkAR>`YWDV_UM2z-FZWweh z-s1m!8EJ#rl@BkSDE3FP$rZ;~rX4It`Z4uU*;6E8J>$L#t!FSH>X;19vQdgwpDYJ_ zCXcZWLlV3AwK|MGs-wc5kl3Pc88$DW%TH8h|j+@ugt^c_(w`$Vuh?a&_6BxJezSFYTry2e~4+1mooSh??iidi);5IrQtvH zls&_tBgJd;SA?guL*Y)Txv(eh{65AC2fSEzAA~ z3mHvkt+db3mr9f@L05}TX_EbWGFTu7FW-On5S?9AT2?ZapSa7&r#ocDMjl!C$I10- zHno(@>7@JZ%CaPh|Bzjc(Kx*4guWcq7rsQZ3no!-Bdf2H@5&J-F9)MP7SqWxVycu; zXD4a;%zL`oaf1RgfsV1ZDw!xKE`iRQc9GVq*Hl`<8JLzpIKknCFj7zx;>%7P<+J zaWPa;T@S;t;Dw&+Pm&_eMPt^7?rxpaX#9rgFA>vwY|>^y?nPo~lq1Uc&a5mkw9+v< zti~FR)Rs4@$siF)j1kF z5tx2#ivjbyv96&7XVFr@Xr}!wFmQ?bbAl~Pn#QG6S&ov0V6t#1>4yDfHe_GLp0tLC z$aE;v+aks0a!xV!G+Ok|;TF+op{B0OOcol?V9u#1>KUfb5#tL){GSX5EJ}Zx2dT8^ zhwT&w*~q@NBUVpc;`9QoW}rp?&Te@+oudgDc~&q;k0mcLNq4RQXMqQtgh zFOew^p$_vhc%@9*?&Y{8(`-yi!+SCK*Sgz1q-$Jzoe+WvFFC7E?_Ao2L1OUl{cUI$~N_94||@3^C9+c ze`mRur0XVn17GK1FdD0l6xC7LR6dnei#Se%!_!U3gnBf220@ddlt~YwvL}Z|zxlq+ zRZ?kyrRl={1rCNS&h|+=La$r8?%UERx1;NxtlFmBdG!sOFC9cv4y~md!9^D#N7DTc zO*J27C@-8Uv6A<%EW5IIOfC=8F&>4=#0NRpcEQoRf1I#e{xFDbXz`Nz2(GJhuEIvG z)W^%9T}TP^9&tEIdJ)J_2hdhiEBd<$^l8M<18HZ<%`_6LvinR{ebZ&8h|}f}o$leX z`}qo5?FhiJAaF&|5gNQIO5U*vLzi1^*)My+YTayYfrgf8Msfj=^%&hvu<2Yj0`N zn&kM_CE}>X%aPBAqlsxjd9Q1~sN^6ZUUU_dE{%_DhjB1T>r?1nf0eOF&S|ah&%n}x z@^XeY%fUQNU`{yyROGz(xKk{Kq+~3mlk8{-qI9Y+Inmo3gkJleE5jwC5zVOnCLvPF$)ilcq-gMghaAoIr0jWrZ{Q) zM>cXUUVbCSfcJ9rLHd6alI`>hdRcKnt9RvpBzHggzbqZkV9Y1-1}T5LuAI)BQOtk(+zavikIliVte(=Ge li)*#YNthg45PgG>YY4Y(G!*i;BSrk4vZec$!!ZeHLqgqsEVzbiJn z{{MUV{bMNJe^2?!y@UPVYig2-82??RKOLd^zo%k;uK(Y~Z$Ey_|E^v!{_j>m5dV|a zoi_YW8UC}0|0%=&l;M9~^iBu<7bfnc@V}6HCx!nh!+%ov|5F*V(sH@~d;d@_Jv{@V z5*eT6$zkT((6E$&=> z($Z2pZd%_VB{G42#KeC${3ksusC$(qyV4O#`SQx|LuOdbR7O!zv&~F(D5a2znc4d4 zDnI`yHl5#4;VlVT-+$@gV(6z&pST(iTBD<*^%|VH^&2g&&!|)3^sjgw7?zoyE54JJ zP5H@BC(Z>QgxhI2YiO9Q|1j{L($rw`8{&_oZgKxFO*|0cGf#F$VVq+=cmR<&9-A*cQ>x2+VM1;y1)xOS=o$jZ&_O1J+|`;3dG!4(LCpd=%hY9#KXbDv%G$QkNd5^zyJ0M z;{HHTfI6?Js3cu!g*S({6Fkjo?kRR@-rgJGtNii=veM>|~ zD5MTTPEJlKXgx&5J=Ca#A--0~H>hKex=n>+ajUDUHo*qHF48OFGepSO#e&rj4@((CIjPZI^m3pCA5%tpt?__EPGJ6ip*nUxgIz{`f6XVe9n zB|TkTTAHO{1~AAs81DBTy?9F5E$3@kdTv;s+0E` z&f^t>VqOP}uU}B7o8K+kW4CI8kdW}D7x9nozOIY289VQbLz(NqMnjA(3PHzzKJy+6 z2+d#dTU+_GJ{L3$}k)%Zx3-yGS)Mu)(cTj9a z0TymAJvK4Xd^(;KOyZTXEs}sYq?ZMGb&f;+V)gc1;^0L6_twy_oZ_~zfPjE{@b@YpaeC|EpzHVVce>G>Y&~Yd)zZ?_ z%gf75iiu*M-X!~zzE{(_h-B_wrnWOVjmULvJj%l?~JsXXiaLbYRY9At9met#Aev z=PPW2Fk%t0zys}w4<9D^`h4S~cEYubtFmp!c^%28YvMe=}1^ za~s#*$jZ*vb&>^Y(-&vp4ZROJX}cE|%8&UkwP7Fbakg^|_6(k$le6A0gsQu!Xg`~< zUgz^=6G<@3)OFsOME3Cw5|P+`#`9WzqLh*YaRJ`y(NeWwr`9iwi*&c+bv=jnn5Ctq zqwJ%j&zgl7mm3D&^9{L`USAP=GQXqJSm%&F-!Sp(4qAh`;1`iyT`ZTqx^U~Mia`m) zzggG{~56g=5zz2z?2ID;{R#sMMY%;%uJ?}#$^@+VqNuWsq3>{uZxJlA3~%_g7U{b zxUO_wH?@a!zvvj=hJ61~{`l9nBx(H+zY#6Y_36HOaJlqMMy7T3FR4IWYLUuwuI#ch zquyA~_1AW&FSj1&(bd&wt8a^s!wpGjo;;y8t&o;se*S#YdbnJ3HjlXZ=4KS3JT^W) z!k2+9TI6?4fsV%-$PJueqtBmP)!b9hujA9xSGyy2^EaK8*F9$mE~?}blmp&Ni8H7- z;e>=6BjndsUy8Axq(fmF`i=<2=BUk6#O&F4CR4HN5Hddo_`m)|DHW`fY?qtv<2eR@-fjdLQY2! z-lpBAAYVD%ty#EP3S9GoJj9|?N_HMO*#!4h#fs-OfGLNaOuqnW9Ht zdJ~wq6c?*$X^A}ElHn*}kPn>SZl?AXDrEAK*kPj!0e4~ z@>2{p=PaF1)~P(mZhTPtk(bB&5shE_`a&*`?MU}l3~2EQLGpwcVOEq&b3E$K#VK7b zB+sp{uW#6^H$Gmc_Zg^?g)M3V!}30F(B-OK{7R$Q)!XZ}7UM51?VqwL+~NAE$1yB& zF`nds^9A1;+18w@=iGNE$CakC;_WNW8syRsH_fw)!Li9n*NGcZLEFi6D0=JUc)PNQ zq09o+t1zg8CFvP)uy0Gt!bhj7)$M!vN{gj&8fw1lL4_^2!&h8yZM){sN%W8>8l!`rKSHNrDwKcx*qzEIy7mh@r1|WDtVvI&UKfc^CTQ4lJlISob^+kT`=&-SCRVuV0;- z>#lm*gGsBJx;J81CPk?lWFW0wdb7((G*(fY!q}J=iPfLhxP@-d++k^*wn5*&dmj4x z^YZf6&$E%?qZ5u$rDO6N!B>7kJFr)Iy&q`thj#Z2d_Gkn7|`q!6w-G;*Yv%#`Qk9h z%wT-_4S&w(7I%V#)GiifJnu9y$J(7Y&}7~C8DqXpi}O<&&i(t2=Ksj}-a3H)*``Hv&Y^P` z1f<2`*k9BLO1nnqUQVIiIaN#j$d%e|bN8q%vb+%2Y`yQsbgDTkJ#Y+uPD9x6`oi4N zOu3io%K}l0q4eA|_i--|?iIRMAm{$RUM=2v6Y0hu7FStj+$rn59T`cDdA2X4_nqmZ zgHqCUN7LWi`LGoZ`3d(qpaVj)_8@uTjPXfD-NZH9vp+nLTR-1U{5Mj%LMHO`=~KpL z7c=L8Jkio)*SRw*b9d$3w)7mY!}blKd3(L?fv4RPP|uq#Od8Mck8u_~9^%rR)My$s zfjq+fY(`$*1vTi@?6#3oGZ(iSAJ-lq@Yfll#BHZq?jySLh4;-q>s-Ym(!=8;KOOJk z+04F)*nLn{`Oczo4ft$ttw=~ob ztI!k?&U@2NGd49l98+|cfhoLR>z5mYMr8LrW##0yB#_8KhnG!ladB}Tx2F?CcC5BF z&t+h=-#^Y2Ua@uZ!mw|5t8He^R-?ktYnK`0ZrnTi66#+&dgpK~VuD(X+-7h5hm!Z> zU$|sE&&0j6R%`lt`<=X85IWlZ{{$y4O|_1CUAKpF48pgIzTMjVmFI@PZ`5|~9jhc% zu0Lq4>oY;K8*4J+fwsQs-k%s9t#w#=IHAqiT10EU5b`Aj?^}l55hUPv#A;i}6V?Bq?Z_V(=_sDS1YYF`R?O2` z$ssPv!b&_Old99d>FB7Jn0W1Ffq-F)Zy=4Q*1vjVe7K>Qp8-QZ z`c>GCU;(FY&8V7YgMN%&1=$Afmbe+5&JM1+8$U=yL}X%aF6$kBaPS>eNrp@q7ru{I zI^;FF1_xodU*5*sq)wgGg&9*DDHI@&_nO10AoQ0nl_YLMjM@Sq%shoE_tj1oG4NA- zkjbgH^B@nZnf;8=G~k3bH}t&Jcjg*D3!v(3pK?&K&{0)I=-M@nt*8)2shSO@uGF@5 z=G$Bd0mrldoUwa8dSI}3*MfpUOeoaB3ni#Zv0<5lLY`w>Zh`b~GroiD170r-ZOzZ$ zKU56q+D*TWbrc%7ZlggHR54>uixCPLTWSkzzCE+*9zjP(*VJ=}f%(%H5TRF{>@T1; zbJHNVAqbDN8GP#e#?x~lQldgwaldU%Lw*}0WWK#Cf&UlO!0UFcSWndB_=cjHlXQgjRbEG27kD$UVjh2GM(jc2fEBn!J2H^ARHd2#bn92=$ zd$>ur7uC!+8egAPe+bjPcH`EIM1&bHj_aNZ>H9QwssnJrwrTCWaQY$e1>%uEe-cnp zacDpHv4Kx08z+CH-WNxCmU-4`Z}gK${%bAkZTZ1|e<(LH(u8nVF-Z_)y@_vM{i<`O za;4l@XSV^Re|vj-I_>ngJJ zqE|?kdCv)a>2o@*Tkfka(*{$FaW%btr9a z(t>-|dFDkaC(zhbJgy0S*l3NxmJmPNb{P^?Hr(v=B^yUV%I>;{*lOsdR{GQMty-QpuSr3W=^e)syI z4b?MRcX*XF>4PP4hpFcyhVYJ;5p*`lQvt z4ODAgq={mtKW~k+3T>SRMchQjZ9;znL{9R* z?+zhRZvM|kA2!NsX-ysvHrY4+ec~N1e%3W!q#H)Q#xl&ZVX@N-iv<~jLIgrd^rh_^ zs%zz?8lZ~spKLEfA)XiSWxMeNa(N{m75)0950`Uw{rmmN;rjK6#z#ux@H-Q$U7Jy0N8oZazwn7)mUl=zo4Lw3bV6o;U%13$Ow(`{{8z} zL-*X~L{@%*W%_%iSDTPg@qVf$`1+pmKq)cj<;hSRVWj&!!%k-!+y{i=nPkJY;16N; zdrx#L+^ZBKU<2Yp!p|qQ655WaE=Yj`;Lgg;k=M{_uq`@#-vkXIpnrGe=-g2I#9=n> zVRTgdPcjM$w*O2q1B^!?Y4Jw`=iBSophU!R@ShIx^%bfE(1()~c99 zT;>Y3D?D!g^L^*=hH!pr2d*yOa>}&O&wgOO4bJ=XO&)OyK>*sQ;hxCxz`MbP;tg#_ zGAl(F4vmfijIsN4xoDA}iK8zOs^A#if7s=qn>bM6b+foF!g+|NZ@){MMT{Z^@p7@eM4kQ5-mTk0`>9 zj*mkE<@N+azgL>!5J>`yt>ykegyZLHo}H6D@3Eg|!q#}b*Ua}~yjB{*B#Au~O>tN+ zjrhCXD%nlHF$iy&eIN4ViT78aOip>M<+?cI#p)gu41Q$dpK2MM=rc2B#n-`D?uQIA zZ{^I%&-i8L=5pG?gLhk-#~42h7`@MZ@?y~qRHZ)4hs>sI*3*@Tv?$lP8}e&Os!r}- z&;b$=xGej0qjvdUXl{zFIHOeQ6c+Le7*0 z^Rclcum-A5LG~wx`$;Q^4`Bq70Cs)Uos(0sT=Mnn z*Dx6DI%$MN&(NUsAjeTrF;qPp?F9GIh)06E)Aje3EkbKM;17Vu3gpm#I;?~W<>bhP z+R4XxSGbS$IH!cC?0!!E5ca}YFWiQeE4I*nxiacwFv*nl1Jqq+Up%TdRRyt{STFEa zz49YeD$S2B6U6kTSbqDr{mvV98x%MrsObJ$+>KG6$@#%#I* z0yjh|1nz!TBVSv!Ff}!eWXw@WpdcfA=I4gVmQ=L30=%3)5wWQ#@?wQC7-W3{H2LnT z?tPDq3)$42YJ2ik(5_xtCR%6csXMt|SKG)5^*?_6IEeCzxq4N8TVN5}gLLx%9P*<@ zDSY`oU-#20&3ruCvkhm6nd$Ypyv8G3Td# zvI(Dd>Zn_83_Jz$`G;}T)OK_nZI>9u!}O=svVrU&dN>vij_XcYCj&jb$qyo85-#LP zROW8kQ4|%yyqGjvB`m2J1f?g2o=;);0^cv?V*KPkir zwf+aXnSNUhk+H((lk?9 zTx`2N&RI-r|6qa{i>^ak2*-A&x@y-ocm5ciW#>L=Htv5}`QEgg@Ci9YrJfqD>J8_`vCOgW&EG;3aRSYsE|hRHa895L zl|pNo698#NO|Qj|361xXLX0Xm(Ox%wlkw#SWGi=hxgR_HIlq6G78fgR=0Jcs9ld;? zGHz11oWq|^aH({VgQGci8ng*5Px+SYs5jWtW8JLMoqvTU!Yk-dxEir4`5m|tV7x=O zRO}o0g01%6n-2o6fio|!oV7#eG-*AA+G+}UkM7M|vw)Q+ zLfPmgq&5}p;Z&^J&$+pCcXKQ8Xx#WNC+_8*Zev?o7VL%->*d{NVdLRhgkO`s+ber2 z*?79Xkd%}Z8a|z7yw=GM^RuwD_{sgkv5Uuin~J$w_mAe?_R+JjSlnDZj+FlVIR!zc zZYQT(+n?_$?;!2wb{!+9F@|YaG+N2ujRk;VfL;}I{VIO&gY9;aS-u3}*wdwDET(oU zjsAYrG_F55JUEV{++{G8QC=KoJnsccOC%`Pbp&WizTRAPuk<;L&9rWaao>msymbQ4Gg@X5z&Mkv(_lXs*@&K4Qq@5iwpKTZ(-aP~ZIXGdY>SHAp*9OX14^*m)N%vX;( z`QQG*CG|CsRgQbvwYm5QgHg0PDK2BuTnuZjd2gW^)y@P3sKmeXnt3Jz^M&~)3Dij@?6|S4aUf>pK-Jm@#bNNA{)NhSyuq?h{&=1QP&~t? ztjFcI;oIAHEwFS)L~=`uZMgpDGyvv!eHw(-#Dd0Fzd8{Ifa2Bdo9mPse|s+O(GY5lu=Hsp~w4bhm7YHe82~Ft$!S0hG1gfuys%* zWDA8hacb3%RqAQIvuGIHtdtB;25A`w2@w&$cjJyyL2|P7$}dpLS_{r-o2N1wl=lmxb!Q`raIs|rXfTQV{~2nIq@v;}s6wK}n>WEH zt5*%b;)}c5fi$;6h6)Y+_iJyjPqs=LGN8O>+a?rHOmbNxK5}x@^V!Oi5Vic_yeqic zjP9FRyEnZJTBFPc=7-DDPEJl8GPc;Tcb}(AIr<+9IA3i`npY5eQUDd=z083WXcnnl z-Q<9dH8yuLyMZ~tolBa|u&@F6&;>TSN8A!Y)!pN@k`<*CM)`!`xd750ugmdb`ccFQA5R-Nf!QnRn$CC&w}{IfX)Du zl0qy;WI|O3f2c!Ihk*Ej<)1%)j=9pnA~M4z_!lAsZO!XGQ_W+d&&vXp{a|FI=u}l7 zc$J-<%gEddCwN4c>UuNW(eZF2Fi|w%b$Z<2zkmA@1$rY@Ks%6CKBR%gZ1L6I$d={# zM2l;{HrN>zfA0D;dYl(yT%RYo`&h1Pdhfg3X&}|}Yxj>I8!w%XX$l03=!qUzqoGze z0>L&-?1zc&MVB0p>!Lo^a4qoTI|@v{w_PAlk1Z&H>y)Es%)z~`fs+gg*ZSm%qmcvY zm+>Q@-YvQF1E6p*WCWWyHHCGK6yp*+8fnn|JU*~+sac0gd^*t|90_u=rnZl(IunwMtduttpK?~%WCVA=f(<2n2#LSnTNEH);Q*S_WJeIiUK0IHPKunV|^VYdq%aCUj({v#~4oqeewXGs1Bx_`C8|)`-_6d6ZhYfe(+3 zuuH74otsXiVD#|G$;z5{S-96t?{mA2-5ck%L9%8qL-AhD((;Fizkrnn>ootydXkTj z*Og-e7HC`7EI3$cYbQW@hTmKl<;>r{LF*CO%!)G3DAJ}onp$oz)`bg%U zB4%yNha*I_o0{42NOd+M;;_8IaTkv|-}?INA40qZX)t()MAAAAjo8IhZW=B=ejMx3 zunet;t~W(z1ZHhm`EnS4`d5o2o7Kb4UNshO39WMDhHEIi^?Khd&3PJHv)~|z*92iWPl2qh(Fwczses1y4w_Jr3OWC|M?;HI`!`>{apH>=W02t|Wu=po7TEy|+ z&y@%(0BS7|J$QZ>L4VpMs%mQ17Df-IV65qhNpRwEbs24v!Y8 z*k3&+q1uXznyZHXW*QPbtLPRT>g{=hY2)1!BJv(FE^)5;e3k37y()>JkNcEvBTE&)lB~KG zq6fMmTY~J|p1Wy~mC9;zowQ!4ZzM80IA+>< z(b6#MeN7G97>LPxuczk(fE+-XinPE;jrkdG|IxaTF*}wU6^87bBR1DdRMn~Pywr+$ z82u_7M3?c>#T-Ya*r$m2-z+mJF7pmsdAZ$0AVRwBlm)_3-fkNo!aArPzJFt4Vsi5? zFZ&39)ehkICxUXFF4K!?|u-OG#k8*!LeikQMCD`~7>i+%))H+4zn$rfXX#@ZyC^ z&O3ku8;8G)PeKe2+{>VPrMS7d8A)7TQ8DYBln7saDP?rwdtg=4uy+?m3oD#$=B4l@ z-ha>^Sboz&ne2VF89T~a@>{DJ-g5HIiofp=o&?ips=vTU0w2r9_z_4b4Er+Y;$vMnKTIZ)y%RD z;6%iFmSt7vbRbBVvzeYVYCENmgiCPPA-+tA+6}lRxo(fI@60y^6JR30fduE(=g+{& z6c*yF{F+cS&KZn%=(j7TiTe4>VC$}94z}7KCR)d%v}B5h!NLX67VPit>*3!OJk7xH zYHMv>?@NHSH?luZf@9O+(TE*%G2j>JB{7pdWK8xLa05)3(~q8q?Vu>qdj0y#trXHZ zA;oh?*q^A5y;-@rkH1)roqMOPlFYBIrG{IRa}2DU#nmt*|2BP%z1FjYXeyre?a%j*{04@h&P zm9yHM?2SRgWsT5+cPFi*QTS(my$OEB^W$b~;7Vc(#YrTAD_9tMzkmCZps9bdEJ!1U zZT?eXzk~Q@YBM+53H=DwtMR`RwWTmpq)&{wvEM9H5pDHN-nW}(?{NZq5 zq^io*`Syh4>h~OIJr}>?zxw8Vv~tI!F$%lAFaN5Z7U?Fber#;#?Bca?!ti_w#d{_X zhYn0vU3RqTCwG7}aMUa~?0X2Au>H?|GfF{6i=FRFfDnNXD3GoDpU!UadsBV(rT~cO zR9e*Xk6`JCQ+%82bk>RN8;BP-2geSmiyCjwW}Ks=e>dFHNxRo<2H}stR-QQ}rIyyOdP~y{cy4QeW7SW4r zn|SH<7|zPUQFu5+XM_q~f8=;mpW8diI&NL@RMMnS+eYl9p60tgyRh&D;8PUkYp7Lr zBU>6r=kk|*NkK7SlAY6|WSr`KRR<^s{ha-0_}g1s>^;5s)FPwP(`;{)=kJ3K-COCY z40;Ce$Ta?B{ow=MuV0a*Q=A1FMV{M5K7f<=LjUbt>}q^9vBg(N$VBbVQ7@R5Hyh|x zhl%btZV!kO%^?X$NMhqz8kCT|+|6^p6szSH2m!hsoq;Bt7rf1^S)r-GHr&v=9aGe z2QLp>Pi(4S_mAGgQV=Wwwa)E)&IM#4J7NQZxe%Oh|0sh=xu4d1Jx(W(B$eblqB31J zw!)HJZl9f^T|=Y(|aZly?DwJvihzl9XP_p~lLT*+1{<6+lo9&nu$lsg#Qs1EK3S1!+2 zLrynVf6E*H!_X23k{6Yc5rml6V;YSQ`tXYiWm2Cjhd@HIiOY{+KKIG^DAsxO%@F~i z<7X{z&;QkPInvz=IY;*Nm5hwsc#+N4Lfe>WeJXFR_Y=eUT_gs~$ab`tyw`S#I5t?F*>VkB?GWg;qMW$9-IYZ%kI4#{j&ps(dwl{o<7fST3bDg(o$z zLuvSVZvE%a<#!%$Bzqx#yv!MpN9Kaf@K*fieNeY|#Bmam^-b(U)%y8-D0=;nKS9_S zBo&@j3=r8EyTr`jfbzQ5+pK%kzCk%o>S#mud|)p?Y2C1->FV>_4vHmrq$@>3*Dg0p zFsMENJs#w=#>P?~mY4>Z_KP1AMz*%Kak8#Gauew1zbHrG!ovZ~R_E)Bc1hCJ!#c0h zcml{%dRI;W@M>rn+GXO&@fdF9&s{nl!`_{4+75SFXj=Soz4G?2+m+7EPg{c!LuGWw zUkb31pziK3U%sTme~6FG&L&5cxo-j%T=`L4PDh6^{tKln|69nH@qe!5MD?vzT79QN-F7dSXLIyOl*%v;9nK7Mw~XigWl6i~>e00_qX?s*pa2L0 zfFz@mlJtOujEuDM{8RrJk+3P@o6Fs^T}Kj@Aar|~2~uv27#$G4IgKkz1`k)V3fVy$ z=;_lUNNQu_jiJ#JQ&?c&e|@Tf^ThR?xtf|%d*csAOF6BfNrJY8z*~3~MNI{}sm5GZ zML!P7=cjY*hcCzwhGD$-GZrFn?>k>t04{5#Q@29-k37GSkR8CHOYNg>C&2V{baX!& zn30{(chIxI0-=ARJgs+8pRabKNJxcR^HnH?Y%D~1N}D&dltd2S6v%-#jk2xioJAr= z^WFY^l#>Gq(~qO0$P`8!3HI|X#OS1!s;;JirmimdQJv{-p31MGne<67w6>GCDwxl= zn}Jv5Zmf3kCs28u`prC9EAC#$3gnMZZa zR*Ipa0s>V6Rb${66kaK)Ud|%U>)x|niPGjObvsMz*;0q5&0t$Xy@1zttFB-5dKJXH zUb8K7=Nf?mN>?Qp4u@xC%+@jag>mZf+a#Jo2aafC$?<1wE0!hDJt+aiE=9=nygLnf z{Ksd(W53BoI`H_xpap7RU^KerLZM+w{+iMYiKO|UeWnhPbm8I$$dWlxR^5O0RX)v_QijISG}u!XKX zgZ|40`e~LXld4Pq^svFtG9yx%L~%5tg$mP4-1NbM!F1&%OZeI>$&XG9G(zgK1_3`0O`}} z0_(>5YCJNa3M#TPY~JT(Kn%Ev#-AQ`XbDU#lo>a;Y17`igm;@&qo2MP*xQ`Eb6979{ zSA3NKaGN_lXh*`|>Fb9b4pFV$cl9>qiST8Hjzk=)+3}Dxo zIiQKEYHAksbym$$1crSkji0Jp8Xvq0%&@7xh+qJ%!}Yb=1=X>}U3+?jNy{-QMvEi{ zryLCAP89elcJpLhB80T0X+Pr)W%IbNwcWW-I{6(BEvv$=6NR87b&u~wzeC4 z5W(bVHt+z(k(arB)tTmL0cT7v>&HR{g4k3Y4J@qX71)WoV%sOwoVaT-k9^PN6st^X zptdvL45{|p$RDDg6#Jr034L}3e6ui_b&Mho*4@lP%ft$Rpk4R&C{Qy(PX>QXz*|tJj zS7plp<&JQS{oeF|5vZmMP)%F;C^+a*Yu42L92HrgF<3~Th_8MNXtB!D?ND(ln}E5Zax zhxsvme*hUxPA-8K8w>^lMGGc>4Zp|L(^306Cv2ETkq*?;grjfx|9w*GoyEV&zh!st zu7DBzAu z!q6@%Dk~i?>B$qw`TNlqW$SHa6PQMlxoS^Fq+QRVUto<@3W@yM@OR$csfR!Brjc1SmYAXe0$l9q zp*p~E@5n5kDWIPUE)x79uPDJxG_!Mab%*&kem6P+sxM&xwUSg7mN zC*4h;xU6hGQsmF;*I)v&fcy`D4F&^dW@e8m7x@{k|Mm_zR6fb3 z+~sjw7paeBWfA6mKTD3c3QBfZIh{DICX#vaK+^=6h!qDUNsL)&#^cxNX?Cu1 zBzI(*GJ>kbr>c@AdEFv0HkFOi60nzofw&s|Hfy(2u^-d*Z?=E~afDAz2fx@@ShyZ_ z%P6MtjIWZ-g=@!S+zAYHS*`a6!GS(b-D;jt^qaUI(IRlZmGmj#arxcdsdIh#( z?u~lyUuzsH`$A#n*S&|*W{{DeaHLPgdAFSJ_lV5++PFh*7ot)e*Y1S|A z0=&qyo8y%n<@j?g=uX+aWT4i@73%=n6a+h##+tIOpdc4nSZaJ-{i8?DIqBZPQ^5KJ zSbd~)01l1i@Y=<9a7t6AToMNBmBQ!xU6f}OPHeA`1!*Z$Oc9YTmz0(^1+=~#USA1B z%x+Rtax&n)(`!Fx77CopL2C@m2}+(#=DG<^A?LR!m5y7%zC$vjqt&|UOPY~2AbkOI zst1LtaKMMmxBh`Lz*`Rt7y|u-IK{1JF!r;4t zQ>xvXMLL&%Fi{TD5O5n2;M}OB-0L6A6qZ*cbf6)NtE$=&aYIr^ZRy3^+6m-4f)5te zKf_D`+2@U3_M+3~f~PArSuyA#s~&d@xP z+30~DGcYMpy?(x;uiw6{X%3JQlZ;PHP~s9y+F-S?N5{tQfn!8~{`5i`^vEmVhAGz@ zj(YoZjL!kE^$m229^z36+Z#GM_C+wr;HhiSa7ffTZ3|wSy?SXs4b4>)J$#dJM`Sp^ z*|a@(h75Q^(C?N6JSUZuW#W$F=E%q#IE`R_CmHF6XUumUvzP znNjLGEZLly?^*m`v@+dKd`)7)Jei;$RAZ`pejXT5V%=TFIHft^-kd7d9=o$`N3^{) z8$NKE%5pRuNb8@l9zw3VbNP-qUoHDRgST05c(}w~?aBah{v7KFJM5xeTU(o%%BS^l zXWG!n?9FTk{7b_J5XbPwq_ zv$M4&86n*G-c?lbS(wT^#c3QGtOR?`e17Utbl3k*^8#@YwWW#Qbh+N_Pms^%|NVfX zG?*JM+$W&1-;A19RTkePUAw61jlfCz^6cMNoD&n3HzUa?uWnNuG={VOvT1AMx8aYE zpDlPd_Y)YTcri`=G9HsxbKJ{@?XQKAnTArem$-GovZHITcXwM-t|2YPm5vh4TR zh{ouAPfwt#>SG5Q&!>fCR#VfZaBx~0%0NdJ03Fu9MTk`{UAW=H(*!{|^IGxX(=i5r+9;j zz80Znk93B#L;$b;Iz}<<&HkW3K_l&Fa*V(HcOxc=LHZafYg{~=kX9N=_r9Bzz|Sm& z7g7@vAfMhu99Y|A2SluX|N6BR91p2!3&6$BO*PC>OmZHJ(ag)2|IMZDnRfoYuI^0Hahc?Xar!yf*!#p0{2K)*uXa;~Xm-vNHI)~q(>^?Tr9h*@X#6!>T^VNd_Jibl7zMY*|EJvkR6N2TS-8H{aWq9@T{~h@ie= zFWd|!d7P=eV^tet%+5G#GC!tvndNn!t^H{w?D+dEfUD z`(`yWouRa}>#v=6XFs@H@Wk;Bv%X}wjbx0Yg7tYe%+VZR7sIa-!AJ-Gq{w=k8NqYT zMj1c*+J#2~Kg(HF+a$UYs|p1l5UiPiFH;ESMy`O!|M-%CIn8qm&=}^&$JcFA82ta~ zDn%wIe@5NnQ}OmdEi5hub?x9NWJ630rs(uEc4LKW7Loshw&394-W-Mg?t#svM{#=2 zmoLv}*N`OYzg12+o$8TSlwsoTwst6uxzRCd_}&$*=lR?ogY75jW~#;SAnLWq$;q`z zJc{G}u$=)8Yp+H!?6=zY@pgih@Rp#qtC-W=%k%QO8>*NS@Fb0D>maK1WqGt9WhH9` zq0}4n@B+oSnRt0OCyhxPZx?DBr5fS=Jx?TOUG|%#0&q5$u)$Fw)Xjzj{BVCFWk6#g z6aXOba7~ZF8kpJOWizF1AGHYoq5}zs@ZR7ca$D0T%AA3E!45~B)Ng5J-p+Q`1 zbbda&isZsyT=U)Au2ug0`8I&oY!*0;6N_mHw3_bwg>m9S9KIJ=owbgS)&n&pz+@1?R*0up2Iz>8|Ro zu3EKf>0QHz2S{avw5R5OZ2IZz&Uq0@s`Ed#o6yL-0M1D3{6fhpXHx+DSc_%!I-p{ zj+eQ)R1z{E>xiK#mBF{slX*y4aX7+=gmHj*KuWCN?jM3JE#-eWm*31m)4S3cCeM5H zSMP$I1GtiID)TeEvcPK3vo7woNaWB>B6T4k8zEZD0-O) z^hN(AGgz~$!0mE`_hOpcT@$7H@{$f2Y8bL@FqwE=;D`6FFaIRn(`V``jZNn zzqbDkV`!vavu=gA+<+uaD&@qDh>wp6Pp2XYdG5iuJGXj*{B7rjJ8VAMo!*?@xORb_ z+45;HWqlMtG$_DJ-O1c(WH zi#nIZ=RXjRkQ9ruf-6+qfUI}xdq6?p_jmz`h9+rb8t>*Uoy7Rp4 zE?{b7;D>EB!Y}UcnnVfv!tbwy#j=my_?z_g!@Vx%Y$ELd?jg!@aw_>>ER8WVLhjSk zad`|UxaY+JbYqvzOCi$a34G|O_>r_twURckH}DQ$UhkGW3b@!F{Yy*JT7G5kkHX7m zvOSiIuk+?QXX7HV)qB52m5p`c2Cg^B))ynnB`AR)p*%T0+S~6X_lv4v)<#uNOb|Vn z@dRmEHf_)F!O~&Wi+e5i@(84}0O$q`c*`yoNCOV3z4LVrQ~BkN-4pZqvsq!`S0cl^ zYeYgIV553C2ZCQ08p{(u=@K0a1!54}-e2LLR^r=XxMu+b5pUQ%T=SrjJDWg0dX)p2 z>hhG}Vww)5H%IvhtZZ@F^C<;CE=8@H+ZTAa`VM9U!Li5@$YMJi%7l@6SagVP(h(}4 zV}d+*LDd;9u7(ER3x_=bli)NpF=h7_n{R`->5qPe=#HsL<{fmRdZOjq^G6QoYJ6=G z#+-DX@8cyFkZXWJ;MD_3@pOrP4GogWks)Oi@3GB#TVHgP-5}dEZWIl_{-?Fm(^CL| zgUk!U1Ulee54&YXFJ`RXMUpjNdDjVyRZ&X!6&0BeHcrd2m<%2NDl^mkyh7pqS_eo4x1IseBP}cXN%aYsrZ!Kux+9l;YkL5o;OYK=KcGXq29D~ z+t!s`p7AjILMjGzLQ@mE;z{njdbOq(iJ1DMS>r_Bw;>Y~@n7y|g)Q$v2J#QB%g)f@ z8osDIDm*h58Xa_>-#~uy0#Th45+9lV)ra&aQG+#mtRoPMl-M2s2MOc7p2@l@X&+9uRyk9Bv|CSPBzJ~%^&;41tfQCbtj8DAwQF!(J{#i zuMKzqTr7H*R}_wx6YUehT3m8IdH({?P(0~F2NwXfNT{H_?!|PaQQf@DY6R)6(SnZq zSwergS|vz(W8jO*-5To)0$dPnjNs33jwF_gcw<9@Yxns+V)CuUuibO*4J21VHHDs< z5~DobY*IT+O;{z`IJZqAa>X)BsWKa-ysD# zxo-!}t|#pRa**6|Uup#Rilkx%33P{Jxg4shszDwTk*%Y>y`^t%lx&5{- zETEpASe~|~TuV+>3{7uxc5L;WuRjtF27mxdpS)eauJtI85~!n8crUill{KG&m?oh4 zRz!zx5Tfd!`k;V}3|`=&^}7Ev{C&`EKkoE2ygHth6s+X$?(AK)lv&3zmWDzie_KDp z^xqR+tPfuX=c(@*zK&!`}sgN;BOjD|y;Y7OK1f;itF<;S4)-pmv59;vN@OiH$Sf;h?L9c7yx4BC*Gywdj zeepe4f>&|!zCx68@W)6CAGio4Lqa4&BpXERqqKkPO%15Wa92*6-_0%Rxb1O7HJ@cZ zi0&kzNI!h|7@7sN#b)C{^IuY=5E|u#8CAx3z=J_dP0rt(5Ns-frloqoVq>_E_tfn( z?oLnzyq8+6>pXU)tzDdu7%^!Ailj(CyLLKDCobF;2NB6h+4(yaNXAhLoJ|k|O=e~& zod*JBX&Gr*)bq|W;OP1qd787#yvOPRhj~7-Cf4L-sD7fNqQZZ?B|_|d`s?sBXI53W zPu*LB2sPcV8B5rUE}lhBGqWrqWe38otZKbV za|#N!3iBVT9s7R(ln%dk;fq{pZEbBUD_N_-UyXqsXO3q8V&$8K1^gab4$M=Yp4zQH zkdeg60&e!-k=9wx*a5@`{^LUfGc%#hiBrp-Xwuf3ed2GetF^!yRa^u-ET$=ODJgDC ze;y4p7Z2reEfWY7z6-5wVQEE7>k=6-*eE{^6+x1W0 zY?l8HME{rvU^-H;`5osD*~jp1D3dV9nR0|8=JpH9I@|yJc|~_~=~^@h_}_ z=+nAfk$;lvolUT~Lp!uA*!t5N{dovL=K8D|k6lSB5(vUDxr(R=ZQvG?pMFp$q_Rvv zEAn?>usFP)5lH}Xha<*Cs@Z&b+T6@5_Z`WBip@%omW~cs${Hh<-QQYJVZd1!R#{lEF4T#>xWI zy?;O7^Sx6z`lk#}IljA)40F@5@ z9YY?*`RZ}-V@2#OY5)Z|t#k1mShj%;B`-hU#KZ`>>0*FoNKQ@;ee+U-D$S-HwBbD8 z=Ny-A%N_HL?;ah07ID_x#+=!msg(axGL5t)zZ-h~Zs%dMd z7d84D(=&%Tw~xYLN7;g7!Q&PU?(-w4JuEACgF$ z!-N0De}^Md5M_35*1C1|T=#YbpMoOh)=EPWW7i@qevOc=UY0q7a zAB{*(3z~ps^i$)OAAlp{s9b$n*BjRd*4k}N>!z!vHYpn3@1ZcuG%k?Ze036)&S9-1 zdW}({)vyvmb^qI_-&i+tyuqmY2#45_lr^nLerMLQ>n{@oTP&Y@AUFBXMlN4`Q zrD3HrGXsP}E+A^SiUe(-6Q%%|ftbt|2R0XDVV);ezE3(gBHRvLd*HYxt?M?^#j zqYT!n{P9WQw9NwK@vkpI*X3Q9bm2=%GX zkNZD)o{k0q5s2IKIz0HHd7H&pE|ZC6C1}4bg{?UAVb`9nRSk=^8*8?VGu=I!g#!7F zi-S<$GVU6&S+QpJ)n1i6p9sVm8*lPXch)E3C9@O4^ zc?Qse#Fz>|bm*VC3$^ttoK&xio5g3%o`Wfq7E>j!$(BBoC&s)%O3CX2v?ugD{Q~B?KdH*y{X#e_yt~zX-;o#G?cK_` zaLc%u{umFYI3D*>MZHmoPe=f;e2oU1=OBd|8d{Y8(9kG?v7Jvn!%wSnzhG#kFXk0W*y6poUVPnF zZM0o!getGGb#sb5tySgPUw1&(>vUDS z8pX3b!~=if@>fZoZ~JgrMAUjD@j|10T~WJ88WPa&`7(TC{O6?k;6M)$fs|Hcgo7J9 zg6iP^HlX8ox1%k%d-py}o@llYDw+cuD@>iZ?tK_4M2FgZH?5+vzeL2-S3?;pA~9Ez z3^p?DcCxm|$rk0QR=(+6cO=lMI)vCgC+Wr#&dJYjyq4k8&0wYQ9Js1Nfw0&S*YBEKL^^R+mX>|0)1QMn zpRSvn^<-Sl989_VlU+v(An`3wX~02@8%6Bm%dH-cvS`>KCa<^hFR#mGWMYqcUUI(G zzu3U6576!KA|@(Ec2ZJKtE=@cBH!p#g9$%Ol@V9As2OrMy>l6_B)4tXA4xa|Y_k5R zmQTo@y?^)kQOt&3v@INoVgY|MLo+KQzc(MAQf%MvGbD%AQb&c!-YO{m@-uEx^nthk zQ2LT*y6OV{E3O71&2Y9l)~maeiX-&X99Mj$vthBUBsjr8^IT z$2c4XmnmM4w%HGzq0w^>Lm4jWvl<((fdTh;x|KhX$6;$edvhq6rLNjx?2odF&iz8* z*)IRx-Z)6Cay|N-sO2&mtEa23#anBym_sQ;>_cBHH&FtzdI7#cA<*8cu!E`kux7>a zd@#(=pFe3G(1G}~j);xIdU{!!I_{F4LVVqS_N9)+OupSJ5SD7?7&qJ$2!$61^b8KY za`{Ao~pDaN(|GxO`u#l zr01-TPTU)A$ z@GQ8VOj&8Bq@;Q{?%57bsFWFy4c&Z`-z<;12^{jqDFu#CAMwJn zqJ!(s*)UYSC5hosq3`L>*)|1hPKxH6qQ&Owef!Un*6#zp_!pUz2@K{5I}8X_ANCW@ zTjMtb;VIUiyqNUNC@U|2*jmNlzutOs!Nthoymh$Tfr=W0G59`(gH=GFm4t<*ibJ5h zv2h3B+<_z%SmhOvNN1{zcJcD7Ae!=^Z_k5I5lZ+)WthB<&}G!JDuDI42X`d6ZWc?M(CJ-@G;w&A55RI>=)->)M=> zU@g41_B1(lb&gNge5&V_%$bjXK?dTz2LEy{`n?UK8!@n{E+ zWH$@^OW)9=z@7BGY&ZAE5|9G-ivs`!1P8|E9UgyLQAOdb$!}G2dn(0~##Pd}C-@69 zvl{9U*Tbbp`xuj6OAl#>Xiy&fOKn~N7+ zzdaEbO!?l{;cWD+x=q{1k+0?9*va8x*Mmy-Bz5&d?2C|>Z>Ro?%Ryvxf|2_$tPMfk zF5Xw>!@fm_bm`+HysBNW7mvNTntpi=V=1x5Iq;e=4TqH3AfN9=sa&>igUuYe~(|nt*^^_;C1E3{AE_LqQ-J_J*=Tlx3`7u?TjV1#YBG`OE>6&2=*ExyIfYBt^< zc?6u}eYOva7oN2|hsASx-#;FnS}OViSxy$f+2+asLg~eVyYsN&i3hWcuvIe?_zl%c3V}Sqma1{wlK6;6AOQ=M}!kU%` z_|l*=5k*%du_Y?IPc8(2t}wQK4h{e_M!zo~_p$16Bx0u;H)iA0B%o{fI9vUzC%wF2 zIsj1Ue9`Y(=x;s7o&0iHw4X|NH**EUd)h70o0CQGv8jH9(-Y;pZLZZ9#`N10pm%@r zItue^Z$EJMJZw7-417L1!y06y@+Sr)p9#u?FcQCony(^t5xmJ*Xh=xcGS@*o88~9W zK3Gv>eD${SdNE@HWXCXEe3Km`!n%2%-*B_RTsJfyuF%MxJu**bi zqG+C3{bXDlQ2?1f5+})*!?ino;}omsZHI(}$+d8jJ`|rXZN8eh@bo7&6uR|Zo%Pu7 z41^0ZqXZ8$9Nd4oFvDjE2 zXEs(=%Z1v{@7FNFwmv>yczqJ&3}qPjoCfUGxxndGSq?Ic=eoptpBg%kk_5 zRmMLN+7pn2LhGSf5C2$( zdF_EORs43v8+tz6c+I_7=}4+({OlADkk(T+`;7rTXU~=umSu}CJwvESNP0HO%tkwO zpIQO#R{8zUY)G2uDV|->3FSw9;Bsf4HOh+%zF&D z?-L~7K>??hL1R>x=|tVKlJfFh7;6v~*cU07y=dp>!1WwS4laijCq9dAK zyEXB-?Z6FaBQ=>I^a}||wDizECWL|l`}-a$R-||HB?qbKrlH9-@e|KB^mQam!EXm6 zV`Gw!;C9@aiJ!cOZ{7mmD3YMEg|+o`lRpvyOdF`W(9F??H(MYg6$xd@eUXRmpEd|{ z$fz2eftsPCHa|iV!~wXAqoBNw%d+bQrxeT2*cNrJ58QvS5M-|k64!uZ;`JU#zqom| z*nNN|Ue)y;h_H>UY;4=w!m1ER0`R`+F6Os9N@#jjxyg>i2NI5a%7*wZJgR004$I(u ztv7B9@8BldiRwrEuMs_`khH=3aBELUNC>OIc|uEq17^Vz6(70hXqM9Vg_~hjo!5R& zo=8Z47*kSH&luW)NHR*(psHxJQr?RW^_N%YLhUd;~W)E%3gJ@V?^D z)h0$lV)QRCPd^D-d=MK?Qg32vFw{pMaYszF!k@nn0o)LZ6TlX{_Zy!9hN&c6FqOlX z_11-;(ue;ljZTi&;WuXj#(6B5h#j#GqZMJcbA)Y*$shv=1Oh7Dbi&lzs&@gEDp+j} z0pIS@(TE5}qkv5-$HqcWX!4L?Cg?VwZm?efulZ?#-bKq{`^l?_SFqvgD!=3;P%mq? zEWPQBK?sEuSRI^G*{$}*n7W&?ar;YrS`a&Rk@{07t5q8I#_C-VaVy_M;XhD5t@3+> zydzM4!qnpwfQ{SvZL;cY9^=o zzl=S+K|*@dQ$1_T09 zL()4;W_29{5xH)cei#B8_XC+3c*19qjHZZIKYs$u?|nd@ zBB8VB0VuBI?uQ~l=H5;ZP&)nx85ff^hg!ZVQ7(jA1#<&5gPzBE&yG92?O>taY!%os z_QUK9H*G|ve*NwOMD->aN0>7mm@r_~0MZ|Y=wkn&#SwP3sC#r}BJ31qm!lg`9%AQ% z@>QM=sUo+gCby`_?tG7H0e=1MqU`-Wym4bgjP!PH-G!q6nQkCZod;U0=Q6J8J#LYRp z>HgXRov;kI9sY_U3v7kQXzCKktjIZ+1_s~&ES3;u<@lJGndw!|^iu2QqicCDkDK=o zUeLz8#;Tc$%^>Qras~8NYLa8a(L*!0X|P403Ki88;NeP*~E1u%wV*dL}gaTfs zaR#xsuX0vfdrv9}e{j7(I`jO)`7#)6OMt}G!xBtGPY=CZq2O^o@VE_GtYPIS7QXBv zOEH2S5Qt-08a@L<_zVIG_`>JkfAZ@~J|Uac%HOe^58?o=(~qz1TOBdCgXzP)=j0?L zAt3>P3j(Nypbf@Zm#)-R6kUhxOFS*Cb)-8GBPNKZ2!Rv`;{uxlBys2MUzFuudsb@- zniTrpw|+pzXcGd~3si?&e$1jT0nT66?xF-{)~i4qh11@eMaTeXGNThUGUoRj%pzbf z2xrXMNhR8AXa%@*)@?v!!}^e`44L%yCtp~OxDgm5+;xGgvgxi}m7l)nbPbfxc$gIB zS>qHG0K5`2EC(l@{0#(aZ2f({3o?mz7Qu5e(4&moXb#Gxxi<2OP7g6D4`&{>7uFYD zTwYK+4=!{iJD+=i_DRC-=qfE`J3O`B9A^Xrm7?PmUqa5#TNOMxP-IK6_cT52?YWVq z*Es(Of&~q;iq$vLgo^HA1{m-`>EHHI{>l(H{=Quyqi}abdwNd^n{#sG0iJl3jUuscc%dP2;2;BXW`(eZv z+0!1AJ8ULprH7;svCFAXFiY}^Vq8$t;89UgkuWacsvzDL-iV1SVUJ1nxi9B04zw6? zN1wKjTr}D!kOBth`0OG-K_F0~XzL3X_5PLOLtNhyr&Q8X)KA&@{PPJwyY?5RmGWqo zh0`Lg=^a+h#roqE*<2xW2b+P40Te^R5A=vjZ;%wFq|=(*BiTntM??O*He)&2^xr!N z;~IxS3R)O?T1bKfshmbHp8jI&RzGDxv>Qo3pwkkv&=ijfK|zF!ewnG{4P@d#{`K>L z32_Z4{t%%qKQWpAh{00A3^ux=`r+0&xkG4h#`^{Ad6x@-I_^Z~t)*G#nGnV$4T# z>x?2)Vu;6B?U%x;{wx2JxTcz&D}B&S)prYw(H9At-JN3XGIS{Fe?8weu)b4JI77$F z6XU!Xokrhh0M=RIiP2F7Ro!f7T*MO@lOWRv@Fh0kZ1kEjC zFiEYNoSE3LG_$hU-ZI68^>SuVi%TuvtTue!O!);FZoEb_-x-j5$* zfJ#%>DinwiE%28z*C24uBB05^33c$MHT5MJN3`_fl)##(1Z7!~FCV+`CB$uoK#>qp ze2eZPH^E&yfoC{IkvijnnTcux^e%y-R1M3B0xk_$Q8TEiw(#5#Wqn{rGW{_y(Qf>8 zn?hW~Z7ClFyFKHgi(S8QQ7%}DY{&X!PZ zQIn~WK^jL4SuRe|&hGfSx@)d81aV!@Fuj=MLz9{ifMmuZ&&2^#L^r1+IRnGX%u z7NXW9-$&!X{|Mp~cjgts4td|j^+n+12_@&D_!>;kL^qmYSw*Qac zvbcJ`N&W83rBL_BWIG$`+BmXW^-ov; zIbLtp^7v`lqr*7;Dk45w@2Q^K?GAe@JbM&zQ>WU}`G(DLE8I*gdVz`gF$}iH3RJxZ zNxV)PW=9h*vMDv`r!XT&RxD?JI}U<44UL;Y)iYVgyD#L7HaRnvM6njVy)|oVohBF% z%kvf@AuIb@kGgE5&DtM?b6WJWcS@9uBZ}CACsZZ_^s<>;q=Vns0&M*Aenbv)sCZY` zZe+7TYF=3(Za1R%@krcceQ@XbOliqOt4IMg{=FKlL5)ktz zidx+1F;L(afE}8L-mehfQ}W26K}&ak_G0SVir9+I+Ln3g4+)NSh1^>XgYz|mF5CpM z!;mW5x!K_gi^WVFK6u8vV{}-c>DTn<}Fl;XO>g zkBqBQ@ZyaaQWDq)j5c+CH)bs?Cc!uXHZMxxGfm? z_*u*pGqe0gKx zLA}*#()k7g+0V~>jP{0Ry*_JfCT>%nkb|6`KR%fgIyyUh+!{g0uMNFTP2Y80A?fSP zHTfW$f~Tu&S$RIqBJ9YWT4(+3+Sqe9W5LhlDVo0J*RcjvJAAp}%FZBW?0k+CO&*wr z>r%tR59`H_kL+)JaE=SY_X4guqI!GlI?v`N#ogzSZ~7jTS_~kQk06J!zFr_%h40m{ zM1!Hqwyi8w+_%_3zZDOcJX0H!9=y<}dk&8f=X(Yue5wdKc z|Ig{2mdpB8n|-7Q)1}}pJjw-|jl*o|apZgPCaoP!U837N0cS7g->ysE+#}!7imiGJ zUgYCPveMnL$tXGFA!~2Z&0_6!vFF{N zs`=JP$Xn95pCY>}lg%T1GG}vA+}{00x7O-*?%XkoU z6u(SYUf6V^OYB*dIddFr&LXv$VLujIy@m!wJu2YWx>}hV_BuMFa>Ms~WAvVd!S%c% zPc#S?;8Hz3J?UB7?AlKWMHP}!!g0M$+j~FsE+)ouv#(7|^LEOtj~~?@OXmwJlCH%=K*^1&X@ew{Ca0>YbW#Ye=7} zL;6yE;7B#ivEwv0`;6g(Pr@$0>vh5+=Uh_GcVF_=6~#!NNq)C9SisYfYNPRA7x$%= z-(Q?Y#~ONV%^r<+=j~`qAX%659>xiH&8;{9HAFuW=Xgb7wfvoudFTlLH>^`whW16N z_GtU-NB-UMKe(0Q?-(!FKTzFX&&Nf+%P4jxeI!9cg-*!q>~Np2+5i591EwsqBC~bF zZN?F~G-%TA=8|^FPNivU^~nk04r#QfN{V*ZZ#Okj19!D0^fpchF29m%I>W!H2L<~= zw4yJ&HL0TLWyYGK|A=i+4ABo>T6#KqV&j*+;XJReM~+Hy-uOKl8s11Pj>6O)!wfJ* z!@j$}pKZ7n+>)>#fr}aD@Y){Hh$v+nNqGnsI?ef2bhOM@9AV|N^00!hUnE}_`{E12{n=A_@OTSlUPqA5BfN7IUG?Uk;k z=kHkOPE6V{g46QeXEUw*7k>>?GdwljX-HvqE04^B3fAquUs>Qe8 zmuej0?S{uT%+a!|PL92Obl1sT&A1wFFRRi73m{0=ul*+;WwFqjpB*`9IttH=kabvry^b!go8B*6v0^zbX9NE9DlJIR!dM)SWr6Ng!i{BmPzSb^JTY+banMEPgZ?> z{WgU?`qW-I=V3amMh`QTSS8+e_5#Pgn$?Mq%#3*kG)zEiPDi`Ynf}cH-q4%lL&w$9 zBW^h6tosJ1(ef$jdcxowZN1HBZ!RwHzx%l?@mm)0*x~95k;8;4qspz>85c++COKSN zpTeZX7ND1Js(N#rNj(kNX}Ti_71S5&*99YBH6(b0>2~vMn;#>_9gznylW@i-j#w}z zrw?YEwBZ_z1^>De^3vctDfnDF@>fW~lR#DL*G?Dt(!pt-NAXB}TXpPQwZVxSZ)TOxR~h zI%H$)j1^#AdY#MKRd+Aw6#K9D| z=z)l#CKh{lgo;Nw_sZk*j&TSJAz$SZ)Y_T7!iwu!HV)_FR%R40K5xbU%^9d-V4Xo5Ij=Vv!!aS`FEX3sD2gjq5fwBxzpbj1my%?bd0(ja z(b(udC%mqe``^ET+I1Awz{&f+d#iB~h`$ELl5dD1I4{MT>Ui=ousr<)c6c7+U33tuKl ziq+GT0kgMm(^zkT8HB>ZbiD5U(@zvAQCU6tKYpMO%Z@Zf_elKiOo+6(b?dU> z&#O97htk>1GC%~RqMKA+ui>rrdZn+Vm1lgZxo3#c!aztOhOiIZCRskBdwx1&>WsV_%4k z%Xh|Q{2lT+(n9Wi9ysZ|-R>uu{k*s2C0g@Q;dWxgTjlN6xd8I+A2~)l+RxAcGDpl; z#kDB;F@ambiFLVlRG=`e%B*P%5<;5Ebx$nHQ8AKC4G_97bei~^Cy?2~C!v8>lHXDOSCS5U0$nqTW zr0{@%WrLlWn<$geD5-+D|cbFi<_%@=EF&fD4s!{Zlh}viW#*|S3e*xxe zvZX+S{8@TqXz`Y=Q`pt@Rdar*1oy?7bmVt?8(5I1`BmBmGI#~3;%H7e{p#bZ{o87yAdKe~*sF@;XJwBA z6_Sj295;T>cGD(}8=GJZSL}j^kP48RMeiHn4)k7;zr-d)n9M$>e78yG@bn00jUSn$$=f>v`@kqmIG523n$zwB}D8_Oc<-s6-7=NV2TQhfxQYq7{ zujk_+USRn)t0J%M-)%h)&3Y$!H+Wo@stoU|5pU+#`>0gm6HTGM_ACBb10P_V!u5)= zW5$V{Bj#braT~dmEN>qPCBJ@c)yWi}K!qd!<#imOgy+%8uUk!>05YyEkE8KRH&Sg==PTyDaONPzuMFJ?_R3sYYZ^4 z>ao$}t^S*T*+vmhl$(U?dhN<3zZtVv@aiwWCmQt9+DO8s$mpp)#`B@M}LJFYe$(9 zW9P!UQ8TbOV*|#6wzS&?L8I}8(N6a+e+9TDGLFdgy=QnPkMe-QEYzbp4U1e zm3%?Yf*||nKjN5J$=NoZZ<+PJy;AQ0r$&3?V~I9{8{&#+MzInz3Y~F-%{!|08{RV2 zHIvZ|a#Ma10^$$(Dk z&tN>BmUI_JPS)2YKMn5jcTbmqud2&31-sbW_H?Ymh$&?QaSqDFK_#}R7%|hz=_Z!) z9h2g3YWHT>*2klxhGdc0r03yZ{;lkPc4cyVp&HM@J=pe!&?|=m7MoD)jC=jta6RSU z%uAsUvohG?oTp{N#Nc10qJe2P(y5McnyZIYIQoaKd_%N~%5sKAFdV_gkv(BE8F`9* zg&lUFrvjCkjio*c*mgyH1T#)F@v{BjKHaC>>a}s1m%f8El2PmVUExQCfZ9!2?Ipf_ z6!;X`H!uZC0>~|YQyt54_7pC^&SI3#cv~juY=Qq2*CBqDto^)c`gc9Nzvt%JT-f6X zgY;ICnpMgwyS+rXoY7|tVE=qs)yrB%ou_I&^d`oHDH$=2*e1-0;Tc)ZxNa$&jli3L zXwa)pLqfc9+rSzdf5y&jFfSsxq*aLt|jVNW!C`#0^T>_p$J%;TXg1h~K$x}TN z^8?i=ir@#T+%4_LSphV@PRH$r@)J!@MbpFMle{_xB9I?x=V&%uW4=A&ML7iK@h^r{ zEY~<@q8eM-;S;2Qjs(c)FOvv*5uXAiP#4yW)j$-9_jWH6pDo71`adqsP*zale;&)3 za7glVI2QW_vkT@(h#3tp3JNuOGUERhZTf%zK+?)DyAmfH+H2Cq@l0CBdF6m*MS(vNm2x>Ie+ zaYcU#(lI|(f^kJPvjD+BW_sX?SQvSh+`_d5_DuPur|}Xr@Xy9PFUp8M;`3v&o+Tkc z=cjMMiy#Wv)HVTnVa%xg&)ty~JPRvxej&(eZl!d_@FJFvG=DzB2%t4SnZ_ zMn-?CO(^snJO1Y~8KNA?;b3AwB>7V0_Mt>Cm4@;)eQfB_wfNJ3YZCi zc2s4f+w52n9+oeR96>50C~aR=G?;{5yd#ty7{nrs0M8F)4MKjjFv=VV{vv!lr-N9+ z6UQL^8iiTS>=`{icufW}dIzP!43&~4g-vWu)NiNS!hub zKiAJD?N^SktSUUumUsS17yr*Ro8{(K@vM`F)1FqFU)*<10l@(HA)Tu|s|=tp$d=jo z`PpFUz~1-7;_O`gI@sr}!rT>}$=;NA4wF*{*E@4bI>}APsk4C_=wKOgFtcw^f$UE= zz2v(q-w`z60ek}VC8lSEK@=dF?QD7`&u4zorHhqfV63a%#-#uSIhZX#mB81DO3yGr zGg6+7E&pBha7+MS-+9_H<}FI!yXZE6Z#&T&OAmF<`Al|1=bqgcBn{1yN0gsKW5?YDq9YxI^g@P?01dGw7wto#0iEySf!ek z)S+5O(bO6J_875ES_hs(dwWAeL!E6B!C>NR10eL48mASVg4{j#sbcPY$py6N46#LF{w`2@%ZIwPq zzFl;0#nM{B`D5tJi2_RYwgFZq+;uly-+aH^n`d8`qxvCxTdT`I1PKrL65&OTts$@n^`_<&}?lRVCZr}&_XLbZ&Ijhj)yv5x0WPh?%5 zSe#CqWzL4pnN+T#fyLwkT75-Lwz>76u4?K8DRDVs8MjUu9=B^gWb{N;TBG5*4}AK0 zvKbbIwxWl=Qn@L0Q7YQki=KvmV%m_YCzV$RecrosOS7S)F^CKn1_BK>-O}K$4%$C z@UPI8cHEb_-MXgopwL1by=;IY?p+UceCVPTf6VDiV;Z&~i?K{1?>kXk?W+d>jN$7r znGWl%eosU=@9p3`MrS;9pWRe^xWZhfW&1ImOX)K)gvCS-rx*^-2rrJTN#D35TB0+% zI4-bfrs5HN9}+UnkRk8ZIpDg#a^+iMO{|rX(ou8W=9@>`;FG0H%U9D%vyH19oappW z?S`I)zv#sP$k53k=v;Lei|PEnB}Wyr%UQSV$8M8!?wGUA@xYg|9t;h6m0{Z><^J9r zRYvzhF0JD8wo%nojW``9Y^MzVMW!`$Lz$?9`yr?}ph)JG7F0et!KKjZs9c=}7tjutuO_PQ;*<%XYd*0B znH~NsyI_fH$We`-cKNnbp$(^k`h^}36fb5LoGO`A#bFOOUn`H%1(Vh|t1_uBh(ju?p2k`3VXLMyv z{M)bm6Vv+=rPwYO>PfdrjZXh&kl)M}9pGKZL%x|;Di<}ZZZyRaDT;YtY>aoO8ht5~ zpb>y56(xIjL`Y)LWKa0=#qGCL9*@ebfn9*uFklsAh`VqMXIk?fq_Oe)S(551DcLXX zoFPh64G}C(Z|)iM2iw~x5e*aZPV#a8I1RPimW|+ZKLoE-AZWekZmU->u#LOU%sKne z)q)?VBlN*Q9AiTX*ImehKm8q#8{i-QryU&JP0uSO%c&DHe(hl_9-^}FSDFl^ZxaoF zfM#jAQ85pv@x+1tq5xT90|~maKHcI>%I7 z?I}4RzT$lAKj`pUoK6KRUT3Q4e8hd|kGX5evL^OGQPp6wVu;Au98R~t$g7dWNH!MW z9yzTt7?dpkseguXHjp~^+p~Wkap4pEs;Lg61e+6PP0uqZn-z&dlV-Q z`am!J4*O(ta-qu8bxb60Ca&Cpx2}n28&}lP%%kL&*U$pp^ann}l)K+&6T{p^E2J!1 z=!K-1(CMCIhT4qjh9LMM1vKjGN=Sbn_EnU;i>V-S^fG1;^;}#(S52sfLIEmuD*A zlF2U=ULMx@m!47(9Tb~W73W>Mx=%B$reJ*4KCwFNWnkGXe88KK{Kow@xqK59_de%E zUxC^iH!E?{|I^;Je+A>8Ea97@o?#g%{w3kPBu7t6d#$&TuBZ*PT8mq&W(DPK#R zY{-EeNC=!DRg`TmRP~YFx@JpaZ`B%dElC5Ug?*o}ehIHA3T3qRJ=1xfd5k zS;>6cK3KeCDftP50SByj2cZvBHi5><&JXJ$RM&8ua* z;v@*&$o3x0rQxPAM%DRfzL%e|toqj~|IJl|VAUlyY~;^dg5C<<4S~!U(|XA<`}-_H zjOJs+>oS8wuzPM7U2;72)*(}OkQc^H583w44!Lu#!wQMv?`-p7DYqAOHz?!=Fn8~J zomxjt7KH1C^^QA|om=HI@1lGk1s&bK zd92mn60Yp2m>$^cYEZSXzB68?e@Bp_N;_*nWUBkMKgBQnJmU1kL{U(+`Eh8ooOb@q zez)G)Wn=4W9N$r^rjkRGDThxh`%K%>m{(5K{+3t;o-~;>-p=u8$@S=nJELCi$T7>y z_FCZ>Ncq!oCjhf;)uM}#C^akSz*Qzgrc_=uhk1Tj#jng(kkC^_dDr6Qv<(B<43T9 z?WQs#1wo2Yeue@~2p&Pg&xM69iV>QmI2BNnaj{>ATo8#?-7SxykYtW-Sw$1wdlB;; zSP1%Xyc{in!B)WmzSGBJXl;W&VGHhppKvwTPl38&h(>R5hyEn-C;@hjW`LFHeweL7 zDraJ@J%<8j=W0b4?_hzIw!s(pNN$;Lwh?Idey68l%Nbf#Dxw z{=gAPwXIR?G0RFiDi9IuqHTyVi2&A*X77m&PhFhLjxsi~qKEf4*R*ZAp?}@3y`e=$ z0R`acm6WkOT+rqy_)JISS(e23vN?TD>u0&U(mru@*hqdY*4s7a5AFG|P;j^nGTR8! z9xkNSv<3DJCZMp3ueDK;XC8tOoWpG#a8JoNFf}>?3Ieq0E7RAbucjV#r~p?zEs6xg z=`Q78xXg2}@PHXO#p5L<c)N{KUm-W^1c^2adEL~EVl&- zjY4(Zq7e&^gIqUYs-7#~5e#{leGWY;i6Af zKRCL%xHS226H}M{BNnbAA3;!OpnyGd=;Q;nP@6OhkRD~_?)-Ly_yewfegxaV8>ncY zf|Q7YznpJhLuZ3=9@SSeW-LV{Z}puwa9qo@h9~-s9J^VOI{(pIl{>FPsLA*K zBZaLZ@bguIhDO9H!;BF6{$1Z*>&4_dHuG(+2cO~wM|SKBNabv8?T4!={vM_{D0Z1N z@?cHB#85OqQSq3aa|Spxmw2uc<9p-*LmTi~z!-v`0K9kiBY#2JIoVBaPo%j@CamVDI(|F19&(b_3LLwGhw7O}cn67glt z(lp<+9m8%WSh$XWsq;EHuIJABtg+X>trkvz?mmWi(_wVRyYA8NduU0lF@#`4p^|RO zdb8hP`0OT+g(31*2LYBsZ=iTsf5pANw1CN$VsCX1w2c)@q965Uu4KjylnOKImFgpA z_xX0#3Uh--?It#&*!n2X_V59KOv+GIVjINqDIK2$M2HLLn0TR_LlJa6s|wuU?jaGU zrnxIqgksTfl?{E{6Z^NjF|Dl$k^bs(z8&_aO0V3{lhfWUNjs2ZWwh}kp4c^tS~vEw zxD*sMeW9F&-=wLeU{f1e1JskPZRupLEdv|5L|h|97&(m1&8(%;uCPQ3e)Mn8Wn)T0 zcHJD_-u6rhj7Nm=3dO+F+vj$92L(xjpjL{vul=y{3STI-vcgH2nh?e-=ngu+J-4kk zD>~le=g*)5+ZLd_=+s1Y-#~W#yd_QEGz^<2<S)KP} zs)D&QGu=zgQTIx@&#!R1^vXq4CgaMq45PdIf0AP9K@)LS-&xh`R|AChs$cS$EYyaR zJx8l%ZrsmJ@-Xy`ULqzPdqfFnihP$f*KiqvqK8hrF=SuX3bf53njUxh-n8niPSt9s z>NF?t<-k_(Gwp!dTM;$ot?n; zznr0KoDdrNMsvcAX7nc`?Tl^7zy*7!95=g0Do%2j5MgAgRN<+m%v+Kk=ZJahr(`lP z5SIMqj`~Z;-TwkXvDEJX literal 0 HcmV?d00001 diff --git a/index.html b/index.html new file mode 100644 index 0000000..6b62e46 --- /dev/null +++ b/index.html @@ -0,0 +1,220 @@ + + + + youwen wu | conditional finality + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +

+ a web-log about computers, math, hacks, and all the rest. +

+ by Youwen Wu + | + + | + +
+
+
+

Latest

+
+ +
+
+ +
+
+

+ © 2024 Youwen Wu. Generated by + Hakyll. + View the source + on GitHub. +

+

+ Content freely available under + CC BY-NC-SA 4.0 + unless otherwise noted. +

+
+ + + diff --git a/nix-automatic-hash-updates-made-easy.html b/nix-automatic-hash-updates-made-easy.html new file mode 100644 index 0000000..bb241be --- /dev/null +++ b/nix-automatic-hash-updates-made-easy.html @@ -0,0 +1,435 @@ + + + + Nix automatic hash updates made easy | conditional finality + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +

+ a web-log about computers, math, hacks, and all the rest. +

+ by Youwen Wu + | + + | + +
+
+
+

+ Nix automatic hash updates made easy +

+

+ keep your flakes up to date +

+
2024-12-28
+
+ +
+
+

Nix users often create flakes to package software out of tree, like this Zen +Browser flake I’ve been +maintaining. Keeping them up to date is a hassle though, since you have to +update the Subresource Integrity (SRI) hashes that Nix uses to ensure +reproducibility.

+

Here’s a neat method I’ve been using to cleanly handle automatic hash updates. +I use Nushell to easily work with data, prefetch +some hashes, and put it all in a JSON file that can be read by Nix at build +time.

+

First, let’s create a file called update.nu. At the top, place this shebang:

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+

This will execute the script in a Nushell environment, which is fetched by Nix.

+

Get the up to date URLs

+

We need to obtain the latest version of whatever software we want to update. +In this case, I’ll use GitHub releases as my source of truth.

+

You can use the GitHub API to fetch metadata about all the releases of a repository.

+
https://api.github.com/repos/($repo)/releases
+

Roughly speaking, the raw JSON returned by the GitHub releases API looks something like:

+
[
+   {tag_name: "foo", prerelease: false, ...},
+   {tag_name: "bar", prerelease: true, ...},
+   {tag_name: "foobar", prerelease: false, ...},
+]
+
+

Note that the ordering of the objects in the array is chronological.

+
+

Even if you aren’t using GitHub releases, as long as there is a reliable way to +programmatically fetch the latest download URLs of whatever software you’re +packaging, you can adapt this approach for your specific case.

+
+

We use Nushell’s http get to make a network request. Nushell will +automatically detect and parse the JSON reponse into a Nushell table.

+

In my case, Zen Browser frequently publishes prerelease “twilight” builds which +we don’t want to update to. So, we ignore any releases tagged “twilight” or +marked “prerelease” by filtering them out with the where selector.

+

Finally, we retrieve the tag name of the item at the first index, which would +be the latest release (since the JSON array was chronologically sorted).

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+
+# get the latest tag of the latest release that isn't a prerelease
+def get_latest_release [repo: string] {
+  try {
+	http get $"https://api.github.com/repos/($repo)/releases"
+	  | where prerelease == false
+	  | where tag_name != "twilight"
+	  | get tag_name
+	  | get 0
+  } catch { |err| $"Failed to fetch latest release, aborting: ($err.msg)" }
+}
+

Prefetching SRI hashes

+

Now that we have the latest tags, we can easily obtain the latest download URLs, which are of the form:

+
https://github.com/zen-browser/desktop/releases/download/$tag/zen.linux-x86_64.tar.bz2
+https://github.com/zen-browser/desktop/releases/download/$tag/zen.aarch64-x86_64.tar.bz2
+

However, we still need the corresponding SRI hashes to pass to Nix.

+
src = fetchurl {
+   url = "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2";
+   hash = "sha256-00000000000000000000000000000000000000000000";
+};
+

The easiest way to obtain these new hashes is to update the URL and then set +the hash property to an empty string (""). Nix will spit out an hash mismatch +error with the correct hash. However, this is inconvenient for automated +command line scripting.

+

The Nix documentation mentions +nix-prefetch-url +as a way to obtain these hashes, but as usual, it doesn’t work quite right and +has also been replaced by a more powerful but underdocumented experimental +feature instead.

+

The nix store +prefetch-file +command does what nix-prefetch-url is supposed to do, but handles the caveats +that lead to the wrong hash being produced automatically.

+

Let’s write a Nushell function that outputs the SRI hash of the given URL. We +tell prefetch-file to output structured JSON that we can parse.

+

Since Nushell is a shell, we can directly invoke shell commands like usual, +and then process their output with pipes.

+
def get_nix_hash [url: string] {
+  nix store prefetch-file --hash-type sha256 --json $url | from json | get hash
+}
+

Cool! Now get_nix_hash can give us SRI hashes that look like this:

+
sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s=
+

Putting it all together

+

Now that we’re able to fetch the latest release, obtain the download URLs, and +compute their SRI hashes, we have all the information we need to make an +automated update. However, these URLs are typically hardcoded in our Nix +expressions. The question remains as to how to update these values.

+

A common way I’ve seen updates performed is using something like sed to +modify the Nix expressions in place. However, there’s actually a more +maintainable and easy to understand approach.

+

Let’s have our Nushell script generate the URLs and hashes and place them in a +JSON file! Then, we’ll be able to read the JSON file from Nix and obtain the +URL and hash.

+
def generate_sources [] {
+  let tag = get_latest_release "zen-browser/desktop"
+  let prev_sources = open ./sources.json
+
+  if $tag == $prev_sources.version {
+	# everything up to date
+	return $tag
+  }
+
+  # generate the download URLs with the new tag
+  let x86_64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-x86_64.tar.bz2"
+  let aarch64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-aarch64.tar.bz2"
+
+  # create a Nushell record that maps cleanly to JSON
+  let sources = {
+    # add a version field as well for convenience
+	version: $tag
+
+	x86_64-linux: {
+	  url:  $x86_64_url
+	  hash: (get_nix_hash $x86_64_url)
+	}
+	aarch64-linux: {
+	  url: $aarch64_url
+	  hash: (get_nix_hash $aarch64_url)
+	}
+  }
+
+  echo $sources | save --force "sources.json"
+
+  return $tag
+}
+

Running this script with

+
chmod +x ./update.nu
+./update.nu
+

gives us the file sources.json:

+
{
+  "version": "1.0.2-b.5",
+  "x86_64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2",
+    "hash": "sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s="
+  },
+  "aarch64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-aarch64.tar.bz2",
+    "hash": "sha256-NwIYylGal2QoWhWKtMhMkAAJQ6iNHfQOBZaxTXgvxAk="
+  }
+}
+

Now, let’s read this from Nix. My file organization looks like the following:

+
./
+| flake.nix
+| zen-browser-unwrapped.nix
+| ...other files...
+

zen-browser-unwrapped.nix contains the derivation for Zen Browser. Let’s add +version, url, and hash to its inputs:

+
{
+  stdenv,
+  fetchurl,
+  # add these below
+  version,
+  url,
+  hash,
+  ...
+}:
+stdenv.mkDerivation {
+   # inherit version from inputs
+  inherit version;
+  pname = "zen-browser-unwrapped";
+
+  src = fetchurl {
+    # inherit the URL and hash we obtain from the inputs
+    inherit url hash;
+  };
+}
+

Then in flake.nix, let’s provide the derivation with the data from sources.json:

+
let
+   supportedSystems = [
+     "x86_64-linux"
+     "aarch64-linux"
+   ];
+   forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+in
+{
+   # rest of file omitted for simplicity
+   packages = forAllSystems (
+     system:
+     let
+       pkgs = import nixpkgs { inherit system; };
+       # parse sources.json into a Nix attrset
+       sources = builtins.fromJSON (builtins.readFile ./sources.json);
+     in
+     rec {
+       zen-browser-unwrapped = pkgs.callPackage ./zen-browser-unwrapped.nix {
+         inherit (sources.${system}) hash url;
+         inherit (sources) version;
+
+         # if the above is difficult to understand, it is equivalent to the following:
+         hash = sources.${system}.hash;
+         url = sources.${system}.url;
+         version = sources.version;
+       };
+}
+

Now, running nix build .#zen-browser-unwrapped will be able to use the hashes +and URLs from sources.json to build the package!

+

Automating it in CI

+

We now have a script that can automatically fetch releases and generate hashes +and URLs, as well as a way for Nix to use the outputted JSON to build +derivations. All that’s left is to fully automate it using CI!

+

We are going to use GitHub actions for this, as it’s free and easy and you’re +probably already hosting on GitHub.

+

Ensure you’ve set up actions for your repo and given it sufficient permissions.

+

We’re gonna run it on a cron timer that checks for updates at 8 PM PST every day.

+

We use DeterminateSystems’ actions to help set up Nix. Then, we simply run our +update script. Since we made the script return the tag it fetched, we can store +it in a variable and then use it in our commit message.

+
name: Update to latest version, and update flake inputs
+
+on:
+  schedule:
+    - cron: "0 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Update flake inputs and browser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Check flake inputs
+        uses: DeterminateSystems/flake-checker-action@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check for update and perform update
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          chmod +x ./update.nu
+          export ZEN_LATEST_VER="$(./update.nu)"
+
+          git add -A
+          git commit -m "github-actions: update to $ZEN_LATEST_VER" || echo "Latest version is $ZEN_LATEST_VER, no updates found"
+
+          nix flake update --commit-lock-file
+
+          git push
+

Now, our repository will automatically check for and perform updates every day!

+
+ +
+
+

+ © 2024 Youwen Wu. Generated by + Hakyll. + View the source + on GitHub. +

+

+ Content freely available under + CC BY-NC-SA 4.0 + unless otherwise noted. +

+
+ + + diff --git a/out/bundle.css b/out/bundle.css new file mode 100644 index 0000000..816def2 --- /dev/null +++ b/out/bundle.css @@ -0,0 +1 @@ +@import url("https://fonts.googleapis.com/css2?family=Merriweather:ital,wght@0,300;0,400;0,700;0,900;1,300;1,400;1,700;1,900&display=swap");@import url("https://fonts.googleapis.com/css2?family=Open+Sans:ital,wght@0,300..800;1,300..800&display=swap");*,::before,::after{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x:;--tw-pan-y:;--tw-pinch-zoom:;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position:;--tw-gradient-via-position:;--tw-gradient-to-position:;--tw-ordinal:;--tw-slashed-zero:;--tw-numeric-figure:;--tw-numeric-spacing:;--tw-numeric-fraction:;--tw-ring-inset:;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgb(59 130 246/0.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur:;--tw-brightness:;--tw-contrast:;--tw-grayscale:;--tw-hue-rotate:;--tw-invert:;--tw-saturate:;--tw-sepia:;--tw-drop-shadow:;--tw-backdrop-blur:;--tw-backdrop-brightness:;--tw-backdrop-contrast:;--tw-backdrop-grayscale:;--tw-backdrop-hue-rotate:;--tw-backdrop-invert:;--tw-backdrop-opacity:;--tw-backdrop-saturate:;--tw-backdrop-sepia:;--tw-contain-size:;--tw-contain-layout:;--tw-contain-paint:;--tw-contain-style:}::backdrop{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x:;--tw-pan-y:;--tw-pinch-zoom:;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position:;--tw-gradient-via-position:;--tw-gradient-to-position:;--tw-ordinal:;--tw-slashed-zero:;--tw-numeric-figure:;--tw-numeric-spacing:;--tw-numeric-fraction:;--tw-ring-inset:;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgb(59 130 246/0.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur:;--tw-brightness:;--tw-contrast:;--tw-grayscale:;--tw-hue-rotate:;--tw-invert:;--tw-saturate:;--tw-sepia:;--tw-drop-shadow:;--tw-backdrop-blur:;--tw-backdrop-brightness:;--tw-backdrop-contrast:;--tw-backdrop-grayscale:;--tw-backdrop-hue-rotate:;--tw-backdrop-invert:;--tw-backdrop-opacity:;--tw-backdrop-saturate:;--tw-backdrop-sepia:;--tw-contain-size:;--tw-contain-layout:;--tw-contain-paint:;--tw-contain-style:}/* ! tailwindcss v3.4.14 | MIT License | https://tailwindcss.com */*,::before,::after{box-sizing:border-box;border-width:0;border-style:solid;border-color:#e5e7eb}::before,::after{--tw-content:''}html,:host{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:Open Sans,sans-serif;font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,samp,pre{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type='button']),input:where([type='reset']),input:where([type='submit']){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type='search']{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dl,dd,h1,h2,h3,h4,h5,h6,hr,figure,p,pre{margin:0}fieldset{margin:0;padding:0}legend{padding:0}ol,ul,menu{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder, textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}button,[role="button"]{cursor:pointer}:disabled{cursor:default}img,svg,video,canvas,audio,iframe,embed,object{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden="until-found"])){display:none}body{--tw-bg-opacity:1;background-color:rgb(250 244 237/var(--tw-bg-opacity));font-family:Merriweather,serif;--tw-text-opacity:1;color:rgb(68 64 60/var(--tw-text-opacity))}body:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(25 23 36/var(--tw-bg-opacity));--tw-text-opacity:1;color:rgb(224 222 244/var(--tw-text-opacity))}.container{width:100%}@media (min-width:640px){.container{max-width:640px}}@media (min-width:768px){.container{max-width:768px}}@media (min-width:1024px){.container{max-width:1024px}}@media (min-width:1280px){.container{max-width:1280px}}@media (min-width:1536px){.container{max-width:1536px}}.mx-4{margin-left:1rem;margin-right:1rem}.mx-auto{margin-left:auto;margin-right:auto}.my-1{margin-top:0.25rem;margin-bottom:0.25rem}.mb-1{margin-bottom:0.25rem}.mb-14{margin-bottom:3.5rem}.mb-3{margin-bottom:0.75rem}.mb-4{margin-bottom:1rem}.ml-2{margin-left:0.5rem}.mt-1{margin-top:0.25rem}.mt-14{margin-top:3.5rem}.mt-2{margin-top:0.5rem}.mt-4{margin-top:1rem}.mt-6{margin-top:1.5rem}.mt-8{margin-top:2rem}.inline-flex{display:inline-flex}.h-0\.5{height:0.125rem}.h-1{height:0.25rem}.w-fit{width:-moz-fit-content;width:fit-content}.w-full{width:100%}.max-w-2xl{max-width:42rem}.max-w-\[200px\]{max-width:200px}.max-w-sm{max-width:24rem}.flex-shrink{flex-shrink:1}.flex-grow{flex-grow:1}.items-center{align-items:center}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(1rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(1rem * var(--tw-space-y-reverse))}.text-nowrap{text-wrap:nowrap}.rounded-lg{border-radius:0.5rem}.rounded-md{border-radius:0.375rem}.rounded-xl{border-radius:0.75rem}.border-0{border-width:0px}.bg-accent-light{--tw-bg-opacity:1;background-color:rgb(121 117 147/var(--tw-bg-opacity))}.bg-muted-light{--tw-bg-opacity:1;background-color:rgb(152 147 165/var(--tw-bg-opacity))}.p-2{padding:0.5rem}.px-1{padding-left:0.25rem;padding-right:0.25rem}.px-2{padding-left:0.5rem;padding-right:0.5rem}.px-4{padding-left:1rem;padding-right:1rem}.pb-12{padding-bottom:3rem}.font-sans{font-family:Open Sans,sans-serif}.font-serif{font-family:Merriweather,serif}.text-2xl{font-size:1.5rem;line-height:2rem}.text-3xl{font-size:1.875rem;line-height:2.25rem}.text-4xl{font-size:2.25rem;line-height:2.5rem}.text-lg{font-size:1.125rem;line-height:1.75rem}.text-sm{font-size:0.875rem;line-height:1.25rem}.font-light{font-weight:300}.font-medium{font-weight:500}.italic{font-style:italic}.leading-relaxed{line-height:1.625}.tracking-wide{letter-spacing:0.025em}.text-accent-light{--tw-text-opacity:1;color:rgb(121 117 147/var(--tw-text-opacity))}.text-iris-light{--tw-text-opacity:1;color:rgb(144 122 169/var(--tw-text-opacity))}.transition-all{transition-property:all;transition-timing-function:cubic-bezier(0.4,0,0.2,1);transition-duration:150ms}.transition-colors{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke;transition-timing-function:cubic-bezier(0.4,0,0.2,1);transition-duration:150ms}.duration-500{transition-duration:500ms}.duration-\[2s\]{transition-duration:2s}.external-link-muted{text-decoration-line:underline;text-decoration-color:#797593;text-decoration-color:#908caa;text-decoration-style:solid;text-decoration-thickness:2px;text-underline-offset:2px}.external-link-muted:hover{--tw-text-opacity:1;color:rgb(180 99 122/var(--tw-text-opacity))}.external-link-muted:hover:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(235 111 146/var(--tw-text-opacity))}.post{h1{font-size:1.5rem;line-height:2rem}h1{font-weight:700}h2{position:relative}h2{margin-top:2rem}h2{width:-moz-fit-content;width:fit-content}h2{font-size:1.5rem;line-height:2rem}h2{font-weight:500}h2::after{position:absolute}h2::after{left:0px}h2::after{margin-top:0.5rem}h2::after{display:block}h2::after{height:0.25rem}h2::after{width:3rem}h2::after{border-radius:0.125rem}h2::after{--tw-bg-opacity:1;background-color:rgb(152 147 165/var(--tw-bg-opacity))}h2:where(.dark,.dark *)::after{--tw-bg-opacity:1;background-color:rgb(110 106 134/var(--tw-bg-opacity))}h2::after{content:""}h3,h4,h5,h6{margin-top:2rem}h3,h4,h5,h6{font-size:1.25rem;line-height:1.75rem}h3,h4,h5,h6{font-weight:500}h3,h4,h5,h6{--tw-text-opacity:1;color:rgb(121 117 147/var(--tw-text-opacity))}h3:where(.dark,.dark *),h4:where(.dark,.dark *),h5:where(.dark,.dark *),h6:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(144 140 170/var(--tw-text-opacity))}p{margin-top:1rem;margin-bottom:1rem}p{overflow-x:auto}p{font-weight:300}p{line-height:2}@media (min-width:640px){p{font-size:1.125rem;line-height:1.75rem}}@media (min-width:640px){p{line-height:2}}img{margin-left:auto;margin-right:auto}img{margin-top:1.5rem;margin-bottom:1.5rem}img{border-radius:0.5rem}div.sourceCode{border-radius:0.5rem}div.sourceCode{padding:1rem}ol,ul{list-style-position:inside}ol,ul{font-weight:300}ol,ul{line-height:2}@media (min-width:640px){ol,ul{font-size:1.125rem;line-height:1.75rem}}@media (min-width:640px){ol,ul{line-height:2}}ul{list-style-type:disc}ol{list-style-type:decimal}ol ol{margin-left:1rem}ol ol{list-style-type:disc}ol ol ol{margin-left:1rem}ol ol ol{list-style-type:"-"}li{margin-top:0.25rem;margin-bottom:0.25rem}hr{margin-top:2.5rem;margin-bottom:2.5rem}hr{margin-left:auto;margin-right:auto}hr{height:0.5rem}hr{max-width:3rem}hr{border-radius:0.75rem}hr{border-width:0px}hr{--tw-bg-opacity:1;background-color:rgb(152 147 165/var(--tw-bg-opacity))}hr:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(110 106 134/var(--tw-bg-opacity))}blockquote{margin-top:1rem;margin-bottom:1rem}blockquote{height:-moz-fit-content;height:fit-content}blockquote{border-left-width:4px}blockquote{--tw-border-opacity:1;border-color:rgb(121 117 147/var(--tw-border-opacity))}blockquote{padding-left:1rem;padding-right:1rem}blockquote{padding-top:0.125rem;padding-bottom:0.125rem}blockquote{font-style:italic}blockquote{--tw-text-opacity:1;color:rgb(121 117 147/var(--tw-text-opacity))}blockquote:where(.dark,.dark *){--tw-border-opacity:1;border-color:rgb(144 140 170/var(--tw-border-opacity))}blockquote:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(144 140 170/var(--tw-text-opacity))}blockquote>p{margin:0px}a:not(code a){text-decoration-line:underline}a:not(code a){text-decoration-color:#b4637a}a:not(code a){text-decoration-color:#eb6f92}a:not(code a){text-decoration-style:solid}a:not(code a){text-decoration-thickness:2px}a:not(code a){text-underline-offset:2px}a:not(code a):hover{--tw-text-opacity:1;color:rgb(180 99 122/var(--tw-text-opacity))}a:not(code a):hover:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(235 111 146/var(--tw-text-opacity))}figure{margin-top:0.5rem;margin-bottom:0.5rem}figure{display:inline-block}figure img{margin-bottom:0.5rem}figure img{vertical-align:top}figure figcaption{text-align:center}details{margin-top:1rem;margin-bottom:1rem}details{overflow-x:auto}details{font-weight:300}details{line-height:2}@media (min-width:640px){details{font-size:1.125rem;line-height:1.75rem}}@media (min-width:640px){details{line-height:2}}details summary{margin-bottom:0.25rem}details summary{cursor:pointer}}.hover\:text-accent-light:hover{--tw-text-opacity:1;color:rgb(121 117 147/var(--tw-text-opacity))}.hover\:text-love-light:hover{--tw-text-opacity:1;color:rgb(180 99 122/var(--tw-text-opacity))}.hover\:text-muted-light:hover{--tw-text-opacity:1;color:rgb(152 147 165/var(--tw-text-opacity))}.group:hover .group-hover\:max-w-\[250px\]{max-width:250px}.group:hover .group-hover\:bg-iris-light{--tw-bg-opacity:1;background-color:rgb(144 122 169/var(--tw-bg-opacity))}.group:hover .group-hover\:text-iris-light{--tw-text-opacity:1;color:rgb(144 122 169/var(--tw-text-opacity))}.group:hover .group-hover\:text-muted-light{--tw-text-opacity:1;color:rgb(152 147 165/var(--tw-text-opacity))}@media (min-width:640px){.sm\:mr-2{margin-right:0.5rem}}@media (min-width:768px){.md\:mt-24{margin-top:6rem}.md\:space-y-8>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(2rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(2rem * var(--tw-space-y-reverse))}.md\:text-5xl{font-size:3rem;line-height:1}}.dark\:bg-accent-dark:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(144 140 170/var(--tw-bg-opacity))}.dark\:bg-muted-dark:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(110 106 134/var(--tw-bg-opacity))}.dark\:text-accent-dark:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(144 140 170/var(--tw-text-opacity))}.dark\:text-iris-dark:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(196 167 231/var(--tw-text-opacity))}.dark\:hover\:text-love-dark:hover:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(235 111 146/var(--tw-text-opacity))}.dark\:hover\:text-muted-dark:hover:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(110 106 134/var(--tw-text-opacity))}.group:hover .dark\:group-hover\:bg-iris-dark:where(.dark,.dark *){--tw-bg-opacity:1;background-color:rgb(196 167 231/var(--tw-bg-opacity))}.group:hover .dark\:group-hover\:text-iris-dark:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(196 167 231/var(--tw-text-opacity))}.group:hover .group-hover\:dark\:text-muted-dark:where(.dark,.dark *){--tw-text-opacity:1;color:rgb(110 106 134/var(--tw-text-opacity))} diff --git a/out/bundle.js b/out/bundle.js new file mode 100644 index 0000000..4602406 --- /dev/null +++ b/out/bundle.js @@ -0,0 +1 @@ +const e=window.matchMedia("(prefers-color-scheme: dark)").matches,t=()=>{document.documentElement.classList.remove("dark")},s=()=>{document.documentElement.classList.add("dark")};let o="dark"===localStorage.getItem("theme")?2:"light"===localStorage.getItem("theme")?1:0;const a=document.getElementById("theme-toggle");a.addEventListener("click",(()=>{switch(o=(o+1)%3,o){case 0:localStorage.removeItem("theme"),e?document.documentElement.classList.add("dark"):document.documentElement.classList.remove("dark"),a.innerText="theme: system";break;case 1:e?(localStorage.setItem("theme","light"),t(),a.innerText="theme: light"):(localStorage.setItem("theme","dark"),s(),a.innerText="theme: dark");break;case 2:e?(localStorage.setItem("theme","dark"),s(),a.innerText="theme: dark"):(localStorage.setItem("theme","light"),t(),a.innerText="theme: light")}}));const n=()=>{document.body.classList.remove("font-sans"),document.body.classList.remove("font-serif")},m=e=>{e&&"serif"===e&&(n(),document.body.classList.add("font-serif")),e&&"sans"===e&&(n(),document.body.classList.add("font-sans")),e||n()};let c=localStorage.getItem("font");m();const l=document.getElementById("font-toggle");l.addEventListener("click",(()=>{c=localStorage.getItem("font"),"sans"===c?(c="serif",l.innerText="serif",localStorage.setItem("font","serif")):(c="sans",l.innerText="sans",localStorage.setItem("font","sans")),m(c)})); diff --git a/robots.txt b/robots.txt new file mode 100644 index 0000000..eb05362 --- /dev/null +++ b/robots.txt @@ -0,0 +1,2 @@ +User-agent: * +Disallow: diff --git a/rss.xml b/rss.xml new file mode 100644 index 0000000..7d86d0a --- /dev/null +++ b/rss.xml @@ -0,0 +1,383 @@ + + + + conditional finality + https://blog.youwen.dev + + + Sat, 28 Dec 2024 00:00:00 UT + + Nix automatic hash updates made easy + https://blog.youwen.dev/nix-automatic-hash-updates-made-easy.html + +
+

+ Nix automatic hash updates made easy +

+

+ keep your flakes up to date +

+
2024-12-28
+
+ +
+
+

Nix users often create flakes to package software out of tree, like this Zen +Browser flake I’ve been +maintaining. Keeping them up to date is a hassle though, since you have to +update the Subresource Integrity (SRI) hashes that Nix uses to ensure +reproducibility.

+

Here’s a neat method I’ve been using to cleanly handle automatic hash updates. +I use Nushell to easily work with data, prefetch +some hashes, and put it all in a JSON file that can be read by Nix at build +time.

+

First, let’s create a file called update.nu. At the top, place this shebang:

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+

This will execute the script in a Nushell environment, which is fetched by Nix.

+

Get the up to date URLs

+

We need to obtain the latest version of whatever software we want to update. +In this case, I’ll use GitHub releases as my source of truth.

+

You can use the GitHub API to fetch metadata about all the releases of a repository.

+
https://api.github.com/repos/($repo)/releases
+

Roughly speaking, the raw JSON returned by the GitHub releases API looks something like:

+
[
+   {tag_name: "foo", prerelease: false, ...},
+   {tag_name: "bar", prerelease: true, ...},
+   {tag_name: "foobar", prerelease: false, ...},
+]
+
+

Note that the ordering of the objects in the array is chronological.

+
+

Even if you aren’t using GitHub releases, as long as there is a reliable way to +programmatically fetch the latest download URLs of whatever software you’re +packaging, you can adapt this approach for your specific case.

+
+

We use Nushell’s http get to make a network request. Nushell will +automatically detect and parse the JSON reponse into a Nushell table.

+

In my case, Zen Browser frequently publishes prerelease “twilight” builds which +we don’t want to update to. So, we ignore any releases tagged “twilight” or +marked “prerelease” by filtering them out with the where selector.

+

Finally, we retrieve the tag name of the item at the first index, which would +be the latest release (since the JSON array was chronologically sorted).

+
#!/usr/bin/env -S nix shell nixpkgs#nushell --command nu
+
+# get the latest tag of the latest release that isn't a prerelease
+def get_latest_release [repo: string] {
+  try {
+	http get $"https://api.github.com/repos/($repo)/releases"
+	  | where prerelease == false
+	  | where tag_name != "twilight"
+	  | get tag_name
+	  | get 0
+  } catch { |err| $"Failed to fetch latest release, aborting: ($err.msg)" }
+}
+

Prefetching SRI hashes

+

Now that we have the latest tags, we can easily obtain the latest download URLs, which are of the form:

+
https://github.com/zen-browser/desktop/releases/download/$tag/zen.linux-x86_64.tar.bz2
+https://github.com/zen-browser/desktop/releases/download/$tag/zen.aarch64-x86_64.tar.bz2
+

However, we still need the corresponding SRI hashes to pass to Nix.

+
src = fetchurl {
+   url = "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2";
+   hash = "sha256-00000000000000000000000000000000000000000000";
+};
+

The easiest way to obtain these new hashes is to update the URL and then set +the hash property to an empty string (""). Nix will spit out an hash mismatch +error with the correct hash. However, this is inconvenient for automated +command line scripting.

+

The Nix documentation mentions +nix-prefetch-url +as a way to obtain these hashes, but as usual, it doesn’t work quite right and +has also been replaced by a more powerful but underdocumented experimental +feature instead.

+

The nix store +prefetch-file +command does what nix-prefetch-url is supposed to do, but handles the caveats +that lead to the wrong hash being produced automatically.

+

Let’s write a Nushell function that outputs the SRI hash of the given URL. We +tell prefetch-file to output structured JSON that we can parse.

+

Since Nushell is a shell, we can directly invoke shell commands like usual, +and then process their output with pipes.

+
def get_nix_hash [url: string] {
+  nix store prefetch-file --hash-type sha256 --json $url | from json | get hash
+}
+

Cool! Now get_nix_hash can give us SRI hashes that look like this:

+
sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s=
+

Putting it all together

+

Now that we’re able to fetch the latest release, obtain the download URLs, and +compute their SRI hashes, we have all the information we need to make an +automated update. However, these URLs are typically hardcoded in our Nix +expressions. The question remains as to how to update these values.

+

A common way I’ve seen updates performed is using something like sed to +modify the Nix expressions in place. However, there’s actually a more +maintainable and easy to understand approach.

+

Let’s have our Nushell script generate the URLs and hashes and place them in a +JSON file! Then, we’ll be able to read the JSON file from Nix and obtain the +URL and hash.

+
def generate_sources [] {
+  let tag = get_latest_release "zen-browser/desktop"
+  let prev_sources = open ./sources.json
+
+  if $tag == $prev_sources.version {
+	# everything up to date
+	return $tag
+  }
+
+  # generate the download URLs with the new tag
+  let x86_64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-x86_64.tar.bz2"
+  let aarch64_url = $"https://github.com/zen-browser/desktop/releases/download/($tag)/zen.linux-aarch64.tar.bz2"
+
+  # create a Nushell record that maps cleanly to JSON
+  let sources = {
+    # add a version field as well for convenience
+	version: $tag
+
+	x86_64-linux: {
+	  url:  $x86_64_url
+	  hash: (get_nix_hash $x86_64_url)
+	}
+	aarch64-linux: {
+	  url: $aarch64_url
+	  hash: (get_nix_hash $aarch64_url)
+	}
+  }
+
+  echo $sources | save --force "sources.json"
+
+  return $tag
+}
+

Running this script with

+
chmod +x ./update.nu
+./update.nu
+

gives us the file sources.json:

+
{
+  "version": "1.0.2-b.5",
+  "x86_64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-x86_64.tar.bz2",
+    "hash": "sha256-K3zTCLdvg/VYQNsfeohw65Ghk8FAjhOl8hXU6REO4/s="
+  },
+  "aarch64-linux": {
+    "url": "https://github.com/zen-browser/desktop/releases/download/1.0.2-b.5/zen.linux-aarch64.tar.bz2",
+    "hash": "sha256-NwIYylGal2QoWhWKtMhMkAAJQ6iNHfQOBZaxTXgvxAk="
+  }
+}
+

Now, let’s read this from Nix. My file organization looks like the following:

+
./
+| flake.nix
+| zen-browser-unwrapped.nix
+| ...other files...
+

zen-browser-unwrapped.nix contains the derivation for Zen Browser. Let’s add +version, url, and hash to its inputs:

+
{
+  stdenv,
+  fetchurl,
+  # add these below
+  version,
+  url,
+  hash,
+  ...
+}:
+stdenv.mkDerivation {
+   # inherit version from inputs
+  inherit version;
+  pname = "zen-browser-unwrapped";
+
+  src = fetchurl {
+    # inherit the URL and hash we obtain from the inputs
+    inherit url hash;
+  };
+}
+

Then in flake.nix, let’s provide the derivation with the data from sources.json:

+
let
+   supportedSystems = [
+     "x86_64-linux"
+     "aarch64-linux"
+   ];
+   forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+in
+{
+   # rest of file omitted for simplicity
+   packages = forAllSystems (
+     system:
+     let
+       pkgs = import nixpkgs { inherit system; };
+       # parse sources.json into a Nix attrset
+       sources = builtins.fromJSON (builtins.readFile ./sources.json);
+     in
+     rec {
+       zen-browser-unwrapped = pkgs.callPackage ./zen-browser-unwrapped.nix {
+         inherit (sources.${system}) hash url;
+         inherit (sources) version;
+
+         # if the above is difficult to understand, it is equivalent to the following:
+         hash = sources.${system}.hash;
+         url = sources.${system}.url;
+         version = sources.version;
+       };
+}
+

Now, running nix build .#zen-browser-unwrapped will be able to use the hashes +and URLs from sources.json to build the package!

+

Automating it in CI

+

We now have a script that can automatically fetch releases and generate hashes +and URLs, as well as a way for Nix to use the outputted JSON to build +derivations. All that’s left is to fully automate it using CI!

+

We are going to use GitHub actions for this, as it’s free and easy and you’re +probably already hosting on GitHub.

+

Ensure you’ve set up actions for your repo and given it sufficient permissions.

+

We’re gonna run it on a cron timer that checks for updates at 8 PM PST every day.

+

We use DeterminateSystems’ actions to help set up Nix. Then, we simply run our +update script. Since we made the script return the tag it fetched, we can store +it in a variable and then use it in our commit message.

+
name: Update to latest version, and update flake inputs
+
+on:
+  schedule:
+    - cron: "0 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Update flake inputs and browser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Check flake inputs
+        uses: DeterminateSystems/flake-checker-action@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check for update and perform update
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          chmod +x ./update.nu
+          export ZEN_LATEST_VER="$(./update.nu)"
+
+          git add -A
+          git commit -m "github-actions: update to $ZEN_LATEST_VER" || echo "Latest version is $ZEN_LATEST_VER, no updates found"
+
+          nix flake update --commit-lock-file
+
+          git push
+

Now, our repository will automatically check for and perform updates every day!

+ +]]>
+ Sat, 28 Dec 2024 00:00:00 UT + https://blog.youwen.dev/nix-automatic-hash-updates-made-easy.html + Youwen Wu +
+ + a haskellian blog + https://blog.youwen.dev/a-haskellian-blog.html + +
+

+ a haskellian blog +

+

+ a purely functional...blog? +

+
2024-05-25
+
+ (last updated: 2024-05-25T12:00:00Z) +
+
+

Welcome! This is the first post on conditional finality and also one that tests all +of the features.

+

conditional finality

+
+

A monad is just a monoid in the category of endofunctors, what’s the problem?

+
+

haskell?

+

This entire blog is generated with hakyll. It’s +a library for generating static sites for Haskell, a purely functional +programming language. It’s a library because it doesn’t come with as many +batteries included as tools like Hugo or Astro. You set up most of the site +yourself by calling the library from Haskell.

+

Here’s a brief excerpt:

+
main :: IO ()
+main = hakyllWith config $ do
+    forM_
+        [ "CNAME"
+        , "favicon.ico"
+        , "robots.txt"
+        , "_config.yml"
+        , "images/*"
+        , "out/*"
+        , "fonts/*"
+        ]
+        $ \f -> match f $ do
+            route idRoute
+            compile copyFileCompiler
+

The code highlighting is also generated by hakyll.

+
+

why?

+

Haskell is a purely functional language with no mutable state. Its syntax +actually makes it pretty elegant for declaring routes and “rendering” pipelines.

+
    +
  1. Haskell is cool.
  2. +
  3. It comes with enough features that I don’t feel like I have to build +everything from scratch.
  4. +
  5. It comes with Pandoc, a Haskell library for converting between markdown +formats. It’s probably more powerful than anything you could do in nodejs. +It renders all of the markdown to HTML as well as the math. +
      +
    1. It supports KaTeX as well as MathML. I’m a little disappointed with the +KaTeX though. It doesn’t directly render it, but simply injects the KaTeX +files and renders it client-side.
    2. +
  6. +
+

speaking of math

+

We can have math inline, like so: +ex2dx=π\int_{-\infty}^\infty \, e^{-x^2}\,dx = \sqrt{\pi}. This site ships semantic +MathML math with its HTML, and the MathJax script to the client.

+

It’d be nice if MathML could just be used and supported across all browsers, but +unfortunately we still aren’t quite there yet. Firefox is the only one where +everything looks 80% of the way to LaTeX. On Safari and Chrome, even simple +equations like π\sqrt{\pi} render improperly.

+

Pros of MathML:

+
    +
  • A little more accessible
  • +
  • Can be rendered without additional stylesheets. I just installed the Latin +Modern font, but this isn’t even really necessary
  • +
  • Built-in to most browsers (#UseThePlatform)
  • +
+

Cons:

+
    +
  • Isn’t fully standardized. Might look different on different browsers
  • +
  • Rendering quality isn’t as good as KaTeX
  • +
+

This site has MathJax render all of the math so it looks nice and standardized +across browsers, but the math still displays regardless (like say if MathJax +couldn’t load due to slow network) because of MathML. Best of both worlds.

+

Let’s try it now. Here’s a simple theorem:

+

an+bncn{a,b,c}n3 +a^n + b^n \ne c^n \, \forall\,\left\{ a,\,b,\,c \right\} \in \mathbb{Z} \land n \ge 3 +

+

The proof is trivial and will be left as an exercise to the reader.

+

seems a little overengineered

+

Probably is. Not as much as the old one, though.

+ +]]>
+ Sat, 25 May 2024 00:00:00 UT + https://blog.youwen.dev/a-haskellian-blog.html + Youwen Wu +
+ +
+
diff --git a/sitemap.xml b/sitemap.xml new file mode 100644 index 0000000..c159164 --- /dev/null +++ b/sitemap.xml @@ -0,0 +1,23 @@ + + + + https://blog.youwen.dev + daily + 1.0 + + + + https://blog.youwen.dev/nix-automatic-hash-updates-made-easy.html + 2024-12-28 + weekly + 0.8 + + + + https://blog.youwen.dev/a-haskellian-blog.html + 2024-05-25T12:00:00Z + weekly + 0.8 + + +