Show local configuration changes

Following a train of thought, I got to the idea that it would be nice to have a way to ask an installed package to show a diff between the configuration that it would autogenerate and the configuration that is on the system.

# /var/lib/dpkg/info/postfix.postinst config-diff
--- a/aliases
    +++ b/aliases
    @@ -2,3 +2,7 @@
     postmaster:    root
     clamav: root
     logcheck: root
    +
    +root: enrico

    --- a/postfix/main.cf
    +++ b/postfix/main.cf
    @@ -25,14 +25,35 @@ smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
     alias_database = hash:/etc/aliases
     myorigin = /etc/mailname
     mydestination = enricozini.org, localhost.localdomain, localhost
    +virtual_alias_domains = enricozini.com
    +virtual_alias_maps = hash:/etc/postfix/aliases-virtual
     relayhost =
     mynetworks = 127.0.0.0/8
     mailbox_command = procmail -a "$EXTENSION"
     mailbox_size_limit = 0
     recipient_delimiter = +
     inet_interfaces = all
    +message_size_limit = 20480000

This would be quite useful (if you're not using a tool such as etckeeper): partly for backups, but more interestingly for inspecting a Debian box, to see what is stock configuration and what has been manually changed.

Moreover, this could be used to automately create an installation CD that would install a system with the same configuration, by saving the set of debconf preseeds and the set of /etc/ patches.

In theory, it would not be too difficult to generate such a diff: for packages that don't change config files in postinst, it's just a matter to diff with the original files as found in the .deb. For the other packages, the code to generate the configuration can be recycled outputting the results to a temporary directory, then a diff can be made with the corresponding files in /etc.

I can see this being easily doable for 90% of the packages, and I am wondering about the rest: is it thinkable to pursue this way, assuming that what wouldn't support it today could be made to support it in the future, or are there some configuration cases that just cannot be made to work in this way, no matter what?