I was looking at the merges... baselayout seemed to have a password set for root in shadow. Is that intentional? If a user merges that then they may have just comprimised their box and at the same time locked themselves out.
Yeah, its a md5 encoded "blank" passwd. Check pkg_postinst() .. it will *never* update shadow and passwd if they are present ...