The source of a package often consists of three files: a .orig.tar.gz, a .dsc and a .diff.gz, except in the case of software made specifically for Debian (also called native packages), in which no .diff.gz file exists and .tar.gz file usually won't have "orig" in the name.
The .orig.tar.gz file consists of the source code of the program as the original author developed it, or as close to that as possible. No Debian-specific changes are done to it. Of course sometimes it's impossible to keep the original tarball exactly as its authors delivered it for various different reasons:
- There is no original tarball. The source code has been directly obtained from a versioning system, or something similar.
- The original tarball includes contents that are not DFSG-free, or even that cannot be redistributable. The tarball has to be remade to remove these.
- The original tarball is stored in an improper format. The original authors sometimes release their source code in .zip, .rar, or any other file compression format not supported by Debian.
- The original tarball includes contents that are big in size and totally unneeded, such as pre-compiled binaries.
The .diff.gz files includes all the changes made specifically for Debian, including all the files related to the packaging (which always go into the debian/ directory once applied). The format of this file is a gzip'ed difference file (a patch) between the original tarball and the final source we'll need to create the packages. The diff.gz file won't be able to handle differences between binary files, because of the options used to create it, so if any binary file needs to be changed in the original code to create the packages (typically graphical .png or .jpg image files, for example), the maintainer has to find a workaround for that.
The .dsc file is a short text file that handles some information about the source package, its name and version, the name of its maintainers, the dependencies needed for creating the binary packages from it, the rest of the files that are part of the package source and its hash representation. As the .dsc file is almost always digitally signed, it can be guaranteed that neither this file nor the rest of the files that make the source of the packages have been modified by a third party.