I’m a bit confused about the order to proceed in order to keep the system usable after this update. Edited for our own good
Do pacnew in /etc.pam.d/ have to be proceed before reboot? 
I’m the kind of guy to put chances on my side before updating my machine, better than chrooting it after it breaks.
Then, just after TTY updating, ones should look for pacnews files, and apply changes right away. Am I right ?
For now it looks like I would have 3 pacnew files after update:
[philippe@Probook-450 ~]$ grep -E "pam_tally|pam_cracklib" /etc/pam.d/*
/etc/pam.d/gdm-fingerprint:auth required pam_tally.so onerr=succeed file=/var/log/faillog
/etc/pam.d/gdm-smartcard:auth required pam_tally.so onerr=succeed file=/var/log/faillog
/etc/pam.d/passwd:#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
/etc/pam.d/system-login:auth required pam_tally2.so onerr=succeed file=/var/log/tallylog
/etc/pam.d/system-login:account required pam_tally2.so
[philippe@Probook-450 ~]$
Until here I was used to proceed pacnew with two terminal windows, but in TTY I will have only one 
I’ve read severals workaround here and here, but what is the best method?
Any help would be appreciate