Over time coquelicot was leaking FDs of (deleted) .lock files. I
tracked this down to that file_exists? on depot never closes the
lockfile it opened. So anytime when someone hit a 404 (e.g. due
to requesting /robots.txt) we leaked a file descriptor.

This was caused by how the code returned from within a block, as
it would directly jump out of the block and never unlink the lockfile.

Refactoring the different code interactions with the lockfile, while
wrapping it with a lockfile block, make it properly clean up the lockfile.

`--sort-by-file` is now set by default in gettext:update:po task,
so this will prevent extra diffs with the next update.

The `userpass` authentication mechanism prompts for a user and password
to perform an upload. The credentials are stored as pairs of login/password in
the local configuration. Password are stored in an encrypted form using
bcrypt().

`userpass` configured with a single account can be used instead of `simplepass`
to allow users to make their browser retain the upload credentials.

Based on a patch from Rowan Thorpe.