(a) When audit-packages tells me that an installed package has a
        vulnerability, what actions do you recommend that I perform
        in reaction to that report?  (Each package's web page states "If
        you have a vulnerable package installed on any machine, you are
        advised to remove the package immediately" - which is not
        terrifically helpful in practice!)

    (b) When I want to upgrade a particular package (for example because
        I need its new functionality), how do you recommend that I do
        this, bearing in mind that I have a lot of other software
        installed and in use on the system?

These are very fair questions.  They are difficult to answer for two
reasons:

  When packages are updated in pkgsrc, sometimes the ABI changes.  To
  be safe, this requires rebuilding all the depending packages.

  pkgsrc supports building from source and also installing binary
  packages.  Getting the ABI dependencies right requires bumping the
  revision (nbN), given the current schemes.

So, when updating pkgsrc from cvs, usually many packages will appear
to need rebuilding.  A number of buildlink3 files will specify newer
required versions than are installed.  Thus, using make update, one is
led to a very large amount of rebuilding.  Presumably this is what you
are seeing.

I deal with this in two ways:

  I almost exclusively use "make replace" rather than "make update".
  This is unsafe, but works often, and requires far fewer rebuilds.

  I use pkg_comp and pkg_chk to build all the package I need, and then
  pkg_delete all packages, clean out remaining cruft, and then add the
  newly built packages.

As to "do you have to reinstall all packages every 3 months", I'm
afraid the answer is yes, if you want to track a stable branch with
security maintenance.  But, with pkg_chk, and  pkg_comp or binaries
from ftp.netbsd.org, doing the update isn't so painful.

-- 
        Greg Troxel <gdt@ir.bbn.com>