branding: enforce passwordless root via passwd -d -R; remove direct passwd/shadow edits

initramfs: switch to passwd -d -R in scripts/lib/initramfs.sh:initramfs_finalize_customization() for shadow-aware passwordless root (aligned with 9423b708 intent), drop sed and chpasswd paths, and add validation diagnostics. common: normalize INSTALL_DIR/COMPONENTS_DIR/KERNEL_DIR/DIST_DIR to absolute paths after sourcing config to prevent validation resolving under kernel/current. Dockerfile: include shadow (for passwd/chpasswd), ensure openssl and openssl-dev present; remove perl. config: introduce ZEROOS_PASSWORDLESS_ROOT default true and comment password vars. docs: NOTES.md updated with diagnostics and flow.

config/zinit/getty.yaml

@@ -1,2 +1,2 @@
-exec: /sbin/getty -L 115200 ttyS0 vt100
+exec: /sbin/agetty -a root -L 115200 ttyS0 vt100
 restart: always

config/zinit/gettyconsole.yaml

@@ -1,2 +1,2 @@
-exec: /sbin/getty -L 115200 console vt100
+exec: /bin/sh
 restart: always

config/zinit/init/network.sh

@@ -4,4 +4,5 @@ set -e
 if ! getent group dhcpcd >/dev/null 2>&1; then addgroup -S dhcpcd 2>/dev/null || true; fi
 if ! getent passwd dhcpcd >/dev/null 2>&1; then adduser -S -H -D -s /sbin/nologin -G dhcpcd dhcpcd 2>/dev/null || true; fi
 # Exec dhcpcd (will run as root if it cannot drop to dhcpcd user)
-exec dhcpcd ""
+interfaces=$(ip -br l | awk '!/lo/&&!/my0/{print $1}')
+exec dhcpcd $interfaces