Depending on where they get their checksums. Anyone can submit an app update, so long as the official download link matches the provided checksum then it will get merged. The only benefit here is the delay introduced in receiving the update.
Changes made by GitHub pull requests. I'm sure an anonymous contributor who submits only a checksum change, without version bump, would most certainly fail review.
I'm googling to try to find how Homebrew uses checksums and where it gets them. But not everything homebrew installs comes from GitHub, so I don't see how checksums for all of it could come from 'Changes made by GitHub pull requests'.
And it looks like homebrew checksums both source packages and pre-compiled binaries. There's no way an upstream dependency would be providing their own checksum for a homebrew compiled binary. Homebrew also switched from using MD5 to using SHA1 recently (https://github.com/Homebrew/brew/blob/master/share/doc/homeb...), obviously all of their dependencies didn't switch in unison too, which suggests the checksums do not come from the dependencies themselves.
Looking for more info about this, having trouble finding it. To have confidence in homebrew's checksum system, one needs to know how it works and where they come from, but having trouble finding it.
Or did you mean the checksum is made in a PR to homebrew's own repo? Right, but the question is still where it comes from. If it was generated from bad source obtained from upstream, it will of course be bad. It's just verifying that the package as installed matches what homebrew maintainers meant to install; but that's no guarantee that what homebrew maintainers meant to install wasn't bad in the first place. Since transmission was distribution bad packages itself due to a hack, I'm not following how homebrew providing a checksum means that it can't re-distribute bad packages from upstream. It does mean that homebrew itself is harder to hack than transmission, but doesn't necessarily help when transmission is hacked.