What is the function of hashes in homebrew formulae?

Question

Are the sha1 hashtags for a security purpose, or somehow for specifying formula dependencies? In the example below (for libdc1394) can I modify the source url to my own patched version in a local file? Or is the hashtag preventing me from doing this as a handshake/security feature?

In the homebrew formula cookbook it says that "a Hash specifies a formula dependency with some additional information", so I am confused as to what the actual purpose of the hash is.

below is /usr/local/Library/Formula/libdc1394.rb:

require "formula"

class Libdc1394 < Formula
  homepage "http://damien.douxchamps.net/ieee1394/libdc1394/"
  url "https://downloads.sourceforge.net/project/libdc1394/libdc1394-2/2.2.2/libdc1394-2.2.2.tar.gz"
  sha1 "13958c3cd0709565b5e4a9012dcf2a9b710264e2"

  bottle do
    cellar :any
    sha1 "063e3babff63f462de1b7d053690ae3f0e250bcb" => :mavericks
    sha1 "52d23eb6514dfc5c9aa554bade7dac92deefec70" => :mountain_lion
    sha1 "9f703002e33433885f3f2cb9e4a4006585282a01" => :lion
  end

  depends_on "sdl"

  # fix issue due to bug in OSX Firewire stack
  # libdc1394 author comments here:
  # http://permalink.gmane.org/gmane.comp.multimedia.libdc1394.devel/517
  patch :DATA

  def install
    system "./configure", "--disable-dependency-tracking",
                          "--prefix=#{prefix}",
                          "--disable-examples",
                          "--disable-sdltest"
    system "make install"
  end
end

__END__
diff --git a/dc1394/macosx/capture.c b/dc1394/macosx/capture.c
index c7c71f2..8959535 100644
--- a/dc1394/macosx/capture.c
+++ b/dc1394/macosx/capture.c
@@ -150,7 +150,7 @@ callback (buffer_info * buffer, NuDCLRef dcl)

     for (i = 0; i < buffer->num_dcls; i++) {
         int packet_size = capture->frames[buffer->i].packet_size;
-        if ((buffer->pkts[i].status & 0x1F) != 0x11) {
+        if (buffer->pkts[i].status && (buffer->pkts[i].status & 0x1F) != 0x11) {
             dc1394_log_warning ("packet %d had error status %x",
                     i, buffer->pkts[i].status);
             corrupt = 1;

Answer 1

It's common for open-source projects to specify MD5 or SHA hashes when they release software (especially in in binary form) so the user can make sure the software didn't get corrupted somehow during the download. I would assume Homebrew is just taking the precaution of verifying that the hashes match.

Note that the sentence you quoted from the cookbook is talking about Ruby's hash object type, which has nothing to do with MD5/SHA hashes (nor indeed with hashtags as found on social media) -- specifically as parameters to the depends_on method. The given example line depends_on "boost" => "with-icu" is one that takes a hash -- specifically a hash with a string value; in this case it means Homebrew would specifically invoke the option with-icu inside the boost formula when that formula got installed as a dependency.

You certainly can put your own patched version of the required software into the formula, as long as you calculate your own hash from your version and specify it in the formula, or just take out the sha1 (or md5, etc.) line entirely.