downgrading packages

[rainer at ultra-secure.de]

Hi,

I just had to do a downgrade from 2016Q3 to 2015Q2 because a customer 
realized his script to send mails with attachments relied on some PHP 
security-fix not being applied that came in more than a year ago.

I "locked" pkg in place, did a "pkg update -f && pkg upgrade -f" and 
rebooted.

It actually worked, but I'm always wondering if that is really such a 
good idea.

I build my own packages from the quarterly cuts of the ports-tree and 
fix the defaults of apache, php et.al to certain versions and generally 
try to stick to them for the whole of the major release-cycle (and I 
always built for the oldest supported release of that version), so 
there's little chance of having to do a major version downgrade on the 
application-side.