Security Concerns Surrounding VCL Components

One thing caught me a little off guard regarding updates and support.  I was looking through the IDE this evening and found the following in the read me section:

To download any available updates to the Delphi for PHP development environment, visit http://www.codegear.com/downloads. Get the latest VCL for PHP updates from the open source project site at http://sourceforge.net/projects/vcl4php/.

Now I understand that the VCL is being handled in the Open Source community.  However in my mind I think that since Delphi is distributing them with the launch of this product that I should be able to get component updates from them? 

I understand that these are open source components that can be modified by the community, but it seems to me that there should be some way that Codegear would be able to vet new versions of components.  I guess where I am going with all of this is with regard to security concerns. 

I realize the beauty of open source is that users can act quickly to resolve issues and innovate.  However along with that power comes a certain danger that requires knowledge to discern...what to download and what is ok to use.  I guess for the time being I would rather have my components come from the company I paid for the IDE.

Thoughts?