Mark, if I'm understanding you correctly, you seem to be saying use pkg for everything you can, and build the custom ports yourself. Is that right?
Absolutely. BUT, I am only talking within this perspective:
1. You don't want to bother answering 100 questions to get some port to build, and/or
2. You have a limited capacity machine on which to run ports.
Nowadays, the complexity is enormous. Every port seems to have its own build system, where it needs to pull in python, perl, ruby, go, java and (God help me!) Rust to run a test that outputs "hello world". It's just gone mad. (I use cmake a lot nowadays, but, seriously, autotools did the job. Now there's more build tools than I can count; ninja, meson,automake,cmake,gmake,scons,sbuild, etc, etc, etc).
Why torture yourself when a build server has already done the hard yards and built a package for you?
Here's a couple of problems that I ran into over the past couple of days getting the mail server updated.
1) I had to install and configure Roundcube because Squirrelmail is EOL. So, I ran pkg install roundcube. Later, I was running portmaster, and it wanted to update roundcube. So, clearly, pkg is "behind" ports (for roundcube at least.)
Why? Didn't you just install roundcube? What makes you think updating via ports will make it better? I don't use portmaster (never have) but can't it be used to pull in packages in lieu of building from source to satisfy dependencies? Just what I'm suggesting.
Are packages behind ports? Well it depends on the package repository. Is it pointing to latest or quarterly? Compared to ports? Ports are, with hesitation, always ahead of packages.
If you're going to mix and match, you best get those two synchronised before you go updating.
2) I locked several important apps and than ran pkg upgrade. It upgraded/installed 121 packages. I then ran portmaster. It wanted to update a bunch more. (I have 349 ports installed on that machine. I don't even know why 2/3rds of them are needed.) So, there is obviously a difference between pkg and building ports with portmaster.
This sounds like I'm picking on you, but I am not. However, you raised the spectre so I will address it.
Why are you upgrading? What are you hoping to achieve? Is some software you're using broken? Have security issues?
Install the software, configure it and leave it. You'll thank me for that sage advice.
How do you reconcile that? I require certain php extensions for some of the stuff we're running. But pkg removes them because they're not on its list of options. How do I resolve that using pkg?
Build the port. Off hand, I would suspect some package that has hard-coded requirements for php extensions is probably bad anyway. Regardless, build from ports. However, you need to ensure your port tree is synced as close to the quarterly as possible. If you're using latest, then you're in for a world of hurt.
I know the consensus is don't mix/match ports and packages, and yes, it's probably good advice. I don't know your level of programming knowledge so this also might be bad advice from me. All I can say is for many years I have been doing this and NOTHING has ever happened I can't fix quite quickly (usually versions of libraries).
YMMV.
I'm open to new ideas. I just need to understand how it works and what the risks are.
Don't update unnecessarily. If you want the latest/greatest/flashiest feature, then stick to the latest branch of ports and update every day. I hope you like wasting time.
If you stick to quarterly a lot more packages are stable. Security fixes and that's about all. No need to update, just install your package and relax.
For those who have expressed concern about backups, here's what I'm doing. I wrote a script that creates .tgz files from the bits that need to be backed up (including a mmddyyyy.all.sql file that backups up the mysql dbs), then writes them to /var/backup/. The filenames use the pattern mmddyyyy.filename.tgz. Then they are uploaded to my Dropbox folder. Each day, when the script runs, it deletes the previous day's file from /var/backup/ and the previous 7th-day file from Dropbox. This keeps the /var partition from filling up while keeping the most recent backup handy on the hard drive and keeps the previous 7 day's backups on Dropbox in case I have a disaster that requires an older backup.
Kludgy, I know, but it's the best I can do with no money for backup software. If you need me to restore something from last month or last year, you're out of luck.
How big are the backups? I'd buy two 128GB+ USB flash drives and use them in rotation for, say, a month plus your off-site.
In summary. If you're scared that mixing ports and packages will make your system unusable, that you don't feel capable to deal with an odd situation should it arise and you're worried about the impact on others, then you should probably stick to packages (where customisation is out) or ports (where customisation is in but is tedious) and never mix the two.