There is no plan for 'binary packages'. The plan is commit an update to pkgsrc head that fixes the CVE if that's a security patch, or really really a micro that's ok to pull up, submit a pullup. Or extract the fix and add that as a patch and submit that patch as a pullup wait for bulk builds to rerun and have the new version We do this all the time. Not saying everytime there is a CVE, but it happens a lot.
Apologies. I didn't mean to give the impression I was talking about pre-pullup - I was wondering about what actions are taken when a pullup is made.
In that case, it seems no action is taken (for fast platforms), and we just wait for the next round of binary packages to be built and uploaded.
I suppose if there's ever a super critical vulnerability that could dramatically affect people, we can talk about any other actions then.
Thanks! John