[romeisendcoming]

Interesting you bring this up. Regardless of the provenance of packages and facility for installation you seem to be hinting that there should be a method to install specific service/feature sets to a system securely and without systems access.

I designed such a system which runs with appropriate permissions to a task, is modular, and accomplishes the provisioning via 'job' files submitted to a service endpoint. A user could describe the software they want installed. The SA performs due diligence on vetting software and designs a standard install module then generates a skeleton jobfile and provides it to the requesting user to fill in necessary details and submit. Wash , rinse, repeat.