pkgin suggesting pkg downgrade?

[Havard Eidnes <he%NetBSD.org@localhost>]

Hi,

on several of my hosts I have taken care of installing (from
source, after updating pksrc/security/openssh) openssh-9.9p2 due
to the latest set of vulnerabilities which are also present in
openssh-9.9p1 but fixed in openssh-9.9p2.

However, "pkgin -n fug" still suggests to "upgrade" to
openssh-9.9p1, ref.:

# pkg_info  | grep openssh
openssh-9.9p2       Open Source Secure shell client and server (remote login program)
# pkgin -n fug
calculating dependencies...done.

6 packages to refresh:
fstrm-0.6.1nb1
osabi-NetBSD-10.0
pkglint-23.10.0
standalone-tcsh-6.24.14
userspace-rcu-0.12.1
vault-1.6.6nb37

11 packages to upgrade:
abseil-20240722.0
git-base-2.48.1
go-1.23.5
go122-1.22.11
go123-1.23.5nb1
libevent-2.1.12nb2
openssh-9.9p1
protobuf-28.3
protobuf-c-1.5.0nb7
vim-9.1.1122
vim-share-9.1.1122

0 to remove, 6 to refresh, 11 to upgrade, 0 to install
207M to download, 2026K of additional disk space will be used
# pkg_info | grep pkgin
pkgin-24.12.0       Apt / yum like tool for managing pkgsrc binary packages
#

Is this a bug?  I think it is...  Or is it simply a "limitation",
and "you're not supposed to mix source and binary packages" (how
else do you then deal with vulnerabilities like this in a timely
manner?)  If you think it's a bug, I can submit a PR, but I'd
like some feedback beforehand.

Regards,

- Håvard