The upstream file is more thorough and more up to date. Some settings may have to be adjusted by the downstream but I think it's better to use the configuration file provided by the upstream; it should be more correct.

I'm going to check, on the next shadow release, if we can apply upstream login.defs. If so, I'll update ours. But I know there's a reason for the changes we make downstream.

Compared to the current login.defs:
Dropped:
ENCRYPT_METHOD SHA512
Added:
CHFN_AUTH yes
CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
ENV_HZ HZ=100
ENVIRON_FILE /etc/environment
FAILLOG_ENAB yes
FTMP_FILE /var/log/btmp
LASTLOG_ENAB yes
MAIL_CHECK_ENAB yes
NOLOGINS_FILE /etc/nologin
NONEXISTENT /nonexistent
OBSCURE_CHECKS_ENAB yes
PASS_ALWAYS_WARN yes
PASS_CHANGE_TRIES 5
PASS_MIN_LEN 5
PORTTIME_CHECKS_ENAB yes
QUOTAS_ENAB yes
SUB_GID_COUNT 65536
SUB_GID_MAX 600100000
SUB_GID_MIN 100000
SUB_UID_COUNT 65536
SUB_UID_MAX 600100000
SUB_UID_MIN 100000
SU_WHEEL_ONLY no
Changed:
ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -> PATH=/bin:/usr/bin
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin -> PATH=/sbin:/bin:/usr/sbin:/usr/bin
MOTD_FILE -> /etc/motd
SYS_GID_MIN 500 -> SYS_GID_MIN 101
SYS_UID_MIN 500 -> SYS_UID_MIN 101
UMASK 077 -> UMASK 022

I think it's easier to patch the upstream config file instead of maintaining a separate one.

I'm going to have to do some testing before I actually start merging stuff.

pwck -r and grpck -r output

configuration error - unknown item 'NONEXISTENT' (notify administrator)
configuration error - unknown item 'GRANT_AUX_GROUP_SUBIDS' (notify administrator)

I hadn't uncommented all the items so there may be more unknown ones.

login.defs-arch-patch patches the upstream default with the following changes:

Commented out with comment setting is unsupported [1]:
CHFN_AUTH
CRACKLIB_DICTPATH
ENV_HZ HZ
ENV_TZ
ENVIRON_FILE
FAILLOG_ENAB
FTMP_FILE
ISSUE_FILE
LASTLOG_ENAB
LOGIN_STRING
MAIL_CHECK_ENAB
MOTD_FILE
NOLOGINS_FILE
OBSCURE_CHECKS_ENAB
PASS_ALWAYS_WARN
PASS_CHANGE_TRIES
PASS_MAX_LEN
PASS_MIN_LEN
PORTTIME_CHECKS_ENAB
QUOTAS_ENAB
SU_WHEEL_ONLY
ULIMIT

Restored to Arch's current setting:
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
SYS_GID_MIN 500
SYS_UID_MIN 500

Added back:
ENCRYPT_METHOD SHA512

Supporting FS#66068
UMASK 022
HOME_MODE 0700

[1] https://github.com/shadow-maint/shadow/commit/71c6165dcd6b808fc1bf11e0dfb3692beb06221c

Remove options incompatible with pam from login.defs and man 8 login.defs. Needed two patches from upstream as the tarball does not match git release tag and could not build man pages locally.
As in previous comment but with introductory comment from marekm added back to start of login.defs

TBD:
CONSOLE looks as though it is not used with pam enabled.
Is the introductory text still accurate?
SYS_GID_MIN / SYS_UID_MIN using the upstream value of 101 should not be an issue for any official package but would be AUR PKGBUILDs still using useradd -r.
ENV_SUPATH PATH / ENV_PATH PATH using the upstream values would remove /usr/local/bin.
ENCRYPT_METHOD SHA512 see FS#67393
UMASK / HOME_MODE see FS#66068

CONSOLE seems to do the same thing as pam_securetty.so which is well to be removed see FS#45903.
Just check if there is any there other use case, if not we can null it.

All uses I have found are guarded either directly or indirectly by:
#ifndef USE_PAM
https://github.com/shadow-maint/shadow/blob/4.8.1/lib/getdef.c#L84 entry for option CONSOLE_GROUPS, CONSOLE entry is on the line below.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/console.c the console related functions is_listed and console are defined here. Line 132 is the only use of the option CONSOLE.
https://github.com/shadow-maint/shadow/blob/4.8.1/lib/prototypes.h#L352 one guarded use declaring function setup_uid_gid with parameter console plus one unguarded use declaring function console defined above.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/setugid.c#L123 defines function setup_uid_gid with parameter console declared above plus one related use in the same file both guarded.
https://github.com/shadow-maint/shadow/blob/4.8.1/libmisc/setugid.c#L134 only use of CONSOLE_GROUPS and is guarded in the same block as above.
https://github.com/shadow-maint/shadow/blob/4.8.1/src/login.c#L613 uses function console plus three related uses in the same file all guarded.
https://github.com/shadow-maint/shadow/blob/4.8.1/src/su.c#L713 uses function console plus two related uses in the same file all guarded.

Really needs someone else to cross check the above.
Edit:
As login,su,chsh,chfn,sg,nologin,vipw,vigr are provided by util-linux that needs to be checked as well.
So far MOTD_FILE is supported and a new option LOGIN_PLAIN_PROMPT that shadow does not support.
List of login.defs options util-linux supports I have found so far:
ALWAYS_SET_PATH
CHFN_RESTRICT
DEFAULT_HOME
ENV_PATH
ENV_ROOTPATH
ENV_SUPATH
FAIL_DELAY
HUSHLOGIN_FILE
LASTLOG_UID_MAX
LOGIN_KEEP_USERNAME
LOGIN_PLAIN_PROMPT
LOGIN_RETRIES
LOGIN_TIMEOUT
LOG_UNKFAIL_ENAB
MOTD_FILE
MOTD_FIRSTONLY
SYS_UID_MAX
SYS_UID_MIN
UID_MAX
UID_MIN
TTYGROUP
TTYPERM

Removed hopefully all the remaining options that are not used due to the use of util-linux.
Added back MOTD_FILE. This is set to an empty string in login.defs-arch.patch otherwise it will be displayed first by pam_motd then secondly by login.
The related comment needs adjustment to document this.
Edit:
Compared to the old login.defs:
Removed:
LOG_OK_LOGINS
SYSLOG_SU_ENAB
CONSOLE
SU_LOGFILE
TTYTYPE_FILE
SU_NAME
ERASECHAR
KILLCHAR
CONSOLE_GROUPS

Added shadow-4.8-ignore-login-prompt.patch from Fedora, Do not complain about LOGIN_PLAIN_PROMPT option that is used by login from util-linux.
Added 5cd04d03f94622c12220d4a6352824af081b8531.patch from upstream supporting yescrypt.
Added FS71393.patch supporting FS#71393 change default encryption method to yescrypt.

Updated for 4.9. The options that are unsupported are now listed in the PKGBUILD along with a short reason for each.
Fedora includes all the options in the current list plus MOTD_FILE and SHA_CRYPT_MIN_ROUNDS which I believe are supported.

login from util-linux 2.36+ added support for directories in MOTD_FILE. Perhaps leave it commented in login.defs to use login's built-in default "/usr/share/misc/motd:/run/motd:/run/motd.d:/etc/motd:/etc/motd.d"?

https://github.com/karelzak/util-linux/commit/5a528e2c6ff9735266fc2607c359e925b074bf2c

And I should ask for a /etc/motd.d directory in filesystem in this case,  FS#71797 

Edit:
Hmmm, motd is printed by pam_motd, right? Can we drop it from pambase and rely on util-linux's login?

Edit2:
https://github.com/karelzak/util-linux/commit/72b155ea6e25730d7c01d345cc2df269c2c47635
...what a mess.

Edit3:
Since pam_motd supports directories too (https://github.com/linux-pam/linux-pam/blob/v1.5.1/modules/pam_motd/pam_motd.c#L28) an option is keep current login.defs configuration (empty MOTD_FILE to silence util-linux's login) and drop pam_motd's "motd=/etc/motd" option from system-login (OR add motd_dir=/etc/motd.d to restrict it to /etc).

Updated PKGBUILD.diff to add three upstream fixes for coredump producing bugs and to remove the PREVENT_NO_AUTH option added in 4.9 which is not supported by login or su from util-linux.

@marcosfrm I would suggest opening a feature request against pambase to amend the options passed to pam_motd.so in either of the ways you suggested.

Rebased PKGBUILD.diff on upstream 4.11.1. Missing trust path to signing key used for 4.10, 4.11 and 4.11.1.

Rebased on shadow 4.11.1-1.