Some .diff.gz statistics

The OpenSSL fiasco has started a fresh discussion on Debian source packages and the way we handle changes to upstream software. One of the issues under discussion is that some Debian packages don't use a patch system and ship all their modifications unseparated in the Debian .diff.gz, which makes it harder or impossible to extract patches later on and to understand why some changes were made. The commonly recommended way of doing things is instead to keep the upstream source pristine, storing modifications cleanly separated and documented under debian/patches; several tools such as quilt or dpatch can make this process easy.

Out of curiosity, I did a quick scan of my local mirror to see how many packages ship changes outside debian/ in their .diff.gz, and I was surprised to see that 4803 source packages out of 11853 (40%) do so! This is much more than I expected. Some packages even use a patch system but still have changes in .diff.gz, as shown by this lintian check.

The most commonly patched files in affected packages are:

   1006 config.sub
   1002 config.guess
    823 Makefile
    754 configure
    715 Makefile.in
    484 aclocal.m4

Most of these are caused by autotools updates which are necessary if upstream ships old versions of these files. In many cases there are clean ways to deal with this, for example to always have up-to-date versions of config.{guess,sub} you can simply make them re-exec their authoritative versions (as shown by this patch) and build-depend on autotools-dev.

If you don't use a patch system, now is a good time to start. The New Maintainers' guide has more information on the topic.