Draft: locked-root installations: change the default failure mode during system recovery to 'fail open', and add a medium-priority debconf question

For a multitude of reasons, systems can require recovery during their operational lifetime.

Some of these systems have locked root user accounts; that is, there is no specific password that can be used to grant complete system access. That's a feature that Debian offers intentionally.

However, that causes a potential problem during recovery, especially for low-criticality systems where the user would like to attempt (frequently easy, successful) basic repairs on the system without having to faff around a lot.

As a result: we should ask a question about the failure mode that the user prefers for the installed system when they've confirmed that they want a locked root user account.

The terminology used here is 'fail open', also known as 'fail safe', where access to the system is allowed following unexpected failures or intentional recovery attempts. This contrasts with 'fail closed', or 'fail secure', where the system would become non-trivial to access under those circumstances.

Note this is a change-in-behaviour from the Debian 12.0 (bookworm) initial release. The default failure mode with a locked root account changed from fail-open (recovery shell available by default) to fail-closed (console locked by default) in Debian 10.0 (buster) - see the Debian 10.0 (buster) release notes and Debian bug 802211 for details.