Tony, Gallery does have a e-mail list where they announce new versions and also security concerns. I have run Gallery on riocar.org with comments enabled and no problems have occured. Gallery does strip out PHP code properly if someone tries.

Listserv is here.