Future: Consider adding risk if many "downstream-only" patches

[david-a-wheeler]

Consider the number of downstream-only patches. E.G., if a deb or rpm includes more than 5 patches which have not been accepted upstream, the package receives a point. Distros carry patches for unique packaging requirements and when the upstream project is non-responsive. One or two patches may adjust for unique requirements, but beyond that (especially if they last a long time) they may suggest a non-responsive project. The patches are often less reviewed than the original project and so may add risk to the project all by themselves. This parameter may have some overlap with the Contributor Count parameter already included (if there are few contributors, downstream patches may be the only effective way to fix something).