So, if an FTP server is set up, and there is a public area for new package uploads (which would be subject to approval) - why not a password-protected 'updates' area for developers who already have approved packages?
To update a package, just ftp the zip and json file to the protected 'updates' area. No need for external zips with such a simple system.
In the meantime, OPM (Or a separate cron maintenance app) regularly and automatically checks the protected area (just the jsons, so not too heavy) and if it finds a newer version number for an existing package, it transfers the zip to the OPM server and deletes it from the FTP 'updates' area.
This would make maintenance of existing packages a breeze for both devs and the OPM manager. A weakness is that it would rely on devs not producing a 'bad' update which would propagate to the main server, but it is probably OK because otherwise it means the maintainer has to approve all updates as well as new stuff, which seems unnecessary work.
The only manual maintenance of OPM would be vetting new packages. Once approved, the dev gets r/w access to the protected 'updates' ftp directory and ongoing maintainence is then up to the dev.
A viable system?
Whatever system is adopted, I have a point update to CryptINI (v0.0.9) ready to test whatever is decided.
On a different note, is Lazarus svn trunk no longer synchronised? I get revision 41451 from the svn server (with no OPM)