So, back to my original questions. If I want to (a) update to the 
latest OpenSSH and (b) take steps to prevent the badness of going to 
an older version if I update to, say, 1.5.2, what can I do? I can 
make OpenSSH from pkgsrc and edit /etc/rc.d/sshd to point to 
/usr/pkg, but how do I prevent a future update from overwriting 
/etc/rc.d/sshd and pointing to /usr/sbin/sshd? Simply removing 
/usr/sbin/sshd won't be enough, because the future update will 
probably put in a new sshd. Is there some fancy permissions thing I 
can do cause the future update to fail to change /etc/rc.d/sshd?

This seems like a serious security issue, although it might be best 
handled in connection with the folks who work on version installers.

--Paul Hoffman