* master: (71 commits)
  component/restic: version up v0.16.1
  software/slapos-master: support new "nofile" option
  software/wendelin: Set zopewsgi nofile option default to true
  software/erp5: Add nofile option
  Add sslpsk.
  rapid-cdn: Avoid needless trailing slash sent to backend
  component/kerberos: Enforce SlapOS provided components
  component/p11-kit: Extend PATH to make xzcat available
  component/xorg: Extend PATH to make xzcat available
  pygolang: Provide python-interpreter:exe
  component/ghostscript: backport a bugfix patch
  component/ghostscript: remove ignored --disable-threadsafe
  component/ghostscript: build with libidn
  component/curl: build with libidn2
  component/libidn: new component (libidn and libidn2)
  component/slapos/obs.cfg: fix after perl version up
  component/gtk-2: Extend PATH to make xzcat available
  component/freetype: Extend PATH to make xzcat available
  component/trafficserver: Version up
  software/backupserver: Follow up nginx upgrade
  ...

In Wendelin we mostly always want to run our zopes with the soft limit
set to the hard limit.

levin.zimmermann/erp5@d8b5b910 added the functionality to ERP5 to
set its soft limit of allowed open file descriptors to the system wide hard limit.
This parameter is useful for Wendelin based instances where the 1024
limit is easily reached.

With this patch, this parameter can also be set via SlapOS, which
simplifies usage of the Wendelin SR.

See merge request nexedi/slapos!1460

Cover a case of not adding needless trailing / while accessing a backend from
top level of the URL.

As / are stripped while parsing the url, expose the situation that even if
url ends with a /, it won't be sent for top level access.

Here is the mapping of configured URL, path accessed on the CDN side and path
sent to the backend:

 * backend/index.html   frontend/     index.html
 * backend/index.html   frontend/a    index.html/a
 * backend/index.html   frontend/a/   index.html/a/
 * backend/index.html/  frontend/     index.html
 * backend/index.html/  frontend/a    index.html/a
 * backend/index.html/  frontend/a/   index.html/a/

During my recent work I needed to use path for generated interpreter in
several places and found the need to repeat
${buildout:bin-directory}/${python-interpreter:interpreter} both tiring
and error-prone, because the knowledge where executable is placed
is implicitly used and relied upon.

On the other hand:

- pygolang already provides ${gpython:exe} as reference to the place
  where gpython is installed (see e1d269b4)

- pygolang already uses :exe for interpreter generated to accompany
  pyprog (see 0ee52376 and e328aa49)

So python-interpreter not providing :exe is an oversight and the logical
fix is to start providing python-interpreter:exe as well.

-> Do it and convert */software.cfg throughout the tree, where
python-interpreter is found, to use it.

/cc @jerome, @Tyagov, @alain.takoudjou, @xavier_thompson, @levin.zimmermann
/reviewed-on nexedi/slapos!1456

The new ghostscript could not decrypt some password protected files. It turned out to be a bug in ghostscript but in the process of investigating I thought it might be related to missing libidn that is also used in PDF passwords, so I added it.

See merge request !1455