All the OPM 'action' is in the OPM_CCR SF repository under svn version control. It is however a 'sandbox' and no-one but the OPM moderator can alter the official online repository. Direct uploads would be a disaster-in-waiting.
I stress 'version control' because I feel this essential to successful OPM deployment in Laz 1.8, and @GetMem has rightly handled it well for installation and updates.
Now there is a misunderstanding somewhere. The only task now is to transfer a package generated by the Opkman to the server repository, through the admin's approval.
This transfer does not require version control. The original sources of those packages are typically under version control but that is a different topic.
Thus I don't see any reason why SourceForge or similar should be used as a "sandbox", a transfer area. DropBox or Google Docs or whatever would suit better if it must be a public commercial provider.
BTW, nobody has suggested direct upload to the final repository. The discussion is about a transfer area where Opkman could automatically move packages, to be inspected later by admin.
I would suggest that your main worry is being too busy to un-vet a crap component that doesn't compile and is full of bugs that will never be fixed. This could happen with an over-automated system, and would reflect badly on Lazarus 1.8. I have no idea what a solution for that would look like but my 'SF sandbox' proposal minimises the chance - proposed components 'sit there' until the OPM moderator has time and energy to vet them.
@Juha's ideas are sound if applied to the in-house server. I am suggesting an extra 'sandbox' layer for security and maintainability and above all - to maintain the Lazarus reputation for solid bug-free built-in components.
No, we don't need another layer for security and maintainability. We already have such a layer, namely a human inspection.
In the beginning many people wanted to have a fully automatic Delphinus-style system because only it would be flexible enough. Now you think even a controlled delivery through admin moderation is not enough?
The packages delivered are not part of Lazarus, they are 3rd party packages. The admin's duty is not to rate them. That's why there will be a rating system. Having some lower quality packages is part of reality.
Whatever server is used for the temporary transfer, a single public account / password should be enough initially. Later it can be improved.
I didn't know there is no FTP protocol in FPC libs, but indeed HTTP works equally well.
If I had the possibility to choose php, the loging system would be long implemented. However some core developer insist to be fpc as a showcase. I have little experience coding server side stuff with fpc, I hopping somebody with more experience will help me. Another solution is to learn it myself, but since my time is limited the progress will be slow.
No, I don't really insist it. I only said I would like to see an FPC solution. I was hoping somebody else will join and do an initial version. Maybe not.
If nobody does it, please feel free to use PHP.