While we are on the subject of external zips, how about looking at security?
Let's say as a user, I download and update a component from OPM in my Lazarus 1.8, but...
..it turns out that the external update zip wasn't hosted on a secure version control server (GitHub, SourceForge etc) and a malaicious person has replaced the update zip with a malware version (without the maintainer's knowledge) Components once installed, have a lot of power. An 'Execute' method (or any method) could do some bad stuff, and quite invisibly too. Few ordinary component users (like me) check
all the source code before using an updated component, particularly if it appears 'built-in' to Lazarus (as OPM's packages will appear)
This is why I suggested a protected area on a known secure server for update zips. Upload access can be as secure as needed (like commit access to the ccr) I would favour Sourceforge because I'm used to it, it uses SVN and it does automatic virus checks on all file uploads.
Even better would be an ftp server with multiple folders tied to individual logins to avoid 'cross-contamination' between component commits/uploads (as sourceforge ccr allows) With only a few dozen components, it doesn't take long to set up (for example)
ftp://cryptini.secureserver.com to point to the /components/cryptini folder with a unique login to upload - and it's mostly a one-off process. These would then be the unique 'master' versions @JuhaMannien was talking about. OPM/GetMem would have access to the whole /components tree (OPM=read-only, GetMem=read + write) via separate logins. Having the read-only login /URL in OPM sourcecode would not be a security risk.