3 files changed, 25 insertions, 0 deletions

diff --git a/Library/Homebrew/dev-cmd/audit.rb b/Library/Homebrew/dev-cmd/audit.rb
index 3c42b45a1..c11c503e3 100644
--- a/Library/Homebrew/dev-cmd/audit.rb
+++ b/Library/Homebrew/dev-cmd/audit.rb
@@ -31,6 +31,9 @@
 #:
 #:    If `--except-cops` is passed, the given Rubocop cop(s)' checks would be skipped.
 #:
+#:    If `--commit-range` is is passed, the audited Formula will be compared to the
+#:    last revision before the `<commit_range>`.
+#:
 #:    `audit` exits with a non-zero status if any errors are found. This is useful,
 #:    for instance, for implementing pre-commit hooks.
 
@@ -648,9 +651,25 @@ class FormulaAuditor
       problem "Devel-only (no stable download)"
     end
 
+    previous_formula_contents = unless formula.tap.nil?
+      commit_range = ARGV.value("commit-range")
+      Git.last_revision_of_file(formula.tap.path, formula.path, before_commit: commit_range)
+    end
+    previous_formula = unless (previous_formula_contents || "").empty?
+      Formulary.from_contents(formula.name, formula.path, previous_formula_contents)
+    end
+
     %w[Stable Devel HEAD].each do |name|
       next unless spec = formula.send(name.downcase)
 
+      unless previous_formula.nil?
+        previous_spec = previous_formula.send(name.downcase)
+
+        if previous_spec.version == spec.version && previous_spec.checksum != spec.checksum
+          problem "#{name}: only sha256 changed; needs to be confirmed by the developer"
+        end
+      end
+
       ra = ResourceAuditor.new(spec, online: @online, strict: @strict).audit
       problems.concat ra.problems.map { |problem| "#{name}: #{problem}" }
 
diff --git a/docs/Manpage.md b/docs/Manpage.md
index 2dac89443..fa8a7572a 100644
--- a/docs/Manpage.md
+++ b/docs/Manpage.md
@@ -643,6 +643,9 @@ With `--verbose` or `-v`, many commands print extra debugging information. Note
 
     If `--except-cops` is passed, the given Rubocop cop(s)' checks would be skipped.
 
+    If `--commit-range` is is passed, the audited Formula will be compared to the
+    last revision before the ``commit_range``.
+
     `audit` exits with a non-zero status if any errors are found. This is useful,
     for instance, for implementing pre-commit hooks.
 
diff --git a/manpages/brew.1 b/manpages/brew.1
index ca11439a6..c4006ef47 100644
--- a/manpages/brew.1
+++ b/manpages/brew.1
@@ -674,6 +674,9 @@ If \fB\-\-only\-cops\fR is passed, only the given Rubocop cop(s)\' violations wo
 If \fB\-\-except\-cops\fR is passed, the given Rubocop cop(s)\' checks would be skipped\.
 .
 .IP
+If \fB\-\-commit\-range\fR is is passed, the audited Formula will be compared to the last revision before the \fB<commit_range>\fR\.
+.
+.IP
 \fBaudit\fR exits with a non\-zero status if any errors are found\. This is useful, for instance, for implementing pre\-commit hooks\.
 .
 .TP