Hi. So, you seem to be thinking about thnigs a bit differently than I am. I took a few days to come up to speed.
It sounds like you're assuming that someone will add pam_tally or pam_pam_tally2 using a package profile in /usr/share/pam-configs. I was assuming someone would add pam_tally or pam_tally2 by modifying the config in /etc/pam.d directly. First, I'm guessing that when you talk about someone enabling pam_tally through pam-configs you are talking about in a profile they wrote, not in a package in Debian. If there's a package in Debian that enables pam_tally we should file a bug against that package and use a breaks relationship to avoid the issue. If someone has included a module they wrote in /usr/share/pam-configs, I agree with your original approach: we should detect that module and halt the upgrade. However, if there are no modules that enable pam_tally from pam-configs but there are entries in /etc/pam.d/* think we should comment those entries out. This may disable future automatic updates depending on where the changes are in the pam.d files but I think that's a better outcome than upgrading to a known-wont-let-you-login configuration. We'd want to display a note to this effect if we make any changes. I think I can implement the above once we're agreed on the approach. I'd appreciate feedback on whether that is the right approach.