Showing the difference between two versions of a Debian package
Posted by Steve on Fri 9 Sep 2005 at 08:13
If you have the source code to two Debian package revisions and wish to identify the changes between them there is a very handy tool called interdiff which will allow you to do that very easily.
Whilst it is not often useful for package users it can be very useful to Debian developers, or people curious to see what has changed in a package in more detail than might be present in the ChangeLog.
Debian package source code is typically stored as a collection of three files:
- A tarball containing the "normal" source code of the project, as released by the upstream developers, or original author.
- A Debian-specific patch which is applied against that.
- Producing the debian/ subdirectory containing build instructions, copyright information, and other related details needed to produce the binary package(s).
- A .dsc file which contains various checksums and other related information.
When you're looking at the differences between two revisions of Debian packages you're really looking at two potentially distinct things:
- The changes in the original release tarball.
- The changes in the Debian-specific patch, such as the ChangeLog entries.
interdiff will not help you with the former change, but works beautifully for the latter.
As a simple example consider the recently-released security advisory covering Apache2; DSA-805.
In the Sarge release the Apache2 package was version apache2_2.0.54-4. Now that the security update has been released the current stable version is apache2_2.0.54-5. The security advisory gives you an overview of what changed, but how do you find out specifically which changes were made?
If you wish to discover this, and you have the interdiff package installed, you can see exactly what the differences are.
As the actual software package hasn't changed the only difference will be contained in the two Debian-specific files:
- The original Debian patch.
- The new Debian patch.
If you download both of these, and uncompress them with gunzip, you can see what has changed between them by running:
interdiff apache2_2.0.54-4.diff apache2_2.0.54-5.diff
In this case the output shows exactly what has changed in the two diffs. In our case we can see the code changes and the associated changelog:
--- apache2-2.0.54/debian/changelog +++ apache2-2.0.54/debian/changelog @@ -1,3 +1,19 @@ +apache2 (2.0.54-5) stable-security; urgency=high + + * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL + certificate validation; see CAN-2005-1268 (closes: #320048, #320063) + * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy + where, when a response contains both Transfer-Encoding and Content-Length + headers, the connection can be used for HTTP request smuggling and HTTP + request spoofing attacks; see CAN-2005-2088 (closes: #316173) + * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache + when large byte ranges are requested; see CAN-2005-2728 (closes: #326435) + * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context + of the SSLVerifyClient directive is not honoured within a
+ nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700 + + -- Adam Conrad <firstname.lastname@example.org> Fri, 2 Sep 2005 22:26:28 +1000 + apache2 (2.0.54-4) unstable; urgency=low
Whilst we've used interdiff here in a very specific way to discover the changes in two package versions it is a general-purpose tool.
interdiff allows you to see the differences between two diff files, as produced by the diff tool. Using it for spotting Debian package changes at the source level is just one example of how useful it can be.