who (or what grouping) has control of the 'official' repositories, what are the criteria for inclusion/rejection of submitted packages, whether some PPA-type system should be in place for addition of private repositories, who will police it in terms of enforcing adherence to the stated policies, and so on.
I'm not necessarily suggesting an "official" repository. That might not work for Lazarus. For example, the QGIS repository has rules that are probably far too rigid for Lazarus (
http://plugins.qgis.org). It needs to fit the "culture" of Lazarus. For example, QGIS is a very Euro-centric effort, with many core members being employees of Euro government agencies or their contractors, so a rigid submission policy might naturally fit their bureaucratic modus operandi.
However, that doesn't mean the project manager couldn't have technical requirements. For example (and only as examples):
(1) Package must have a proper license. If it's the same as LCL or FPC RTL, just state so or point to the FPC modified LGPL doc files. If it's something else, anything, just have a link to it (Eclipse, BSD, etc.). The only thing unacceptable might be if nothing is specified in the JSON file. By clearly stating what license is used, the user of the package manager can decide beforehand whether that's even a package they're interested in.
(2) If the package depends on LCL (ie, has LCL under RequiredPgks in .lpk file), then it must specify what LCL interfaces it has been tested against. I typically test against Carbon, Win32, GTK2 at a minimum so that I can legitimately say that the package is cross-platform.
That sort of thing.