There has always been an internal bug tracker. GL just decided not to have a public tracker and just use the forums for bugs, where most users are. A lot of the developers don’t speak any english, so moving bugs from the public tracker to the private was taking a lot of extra time.
All your bug reports and feature requests have been noted, and will be applied if GL decides they are needed or not.
Laws in the EU don’t give any time frame. If that was the case, then no company could sell routers, as Asus routers for example are running on really old linux kernels that have vulnerabilities, they also knowingly ignore actual vulnerabilities. GL has patched many such over the years.
Btw, the MD5 has is only used to make sure the file has not corrupted during the download (ie file checksum), but since the traffic is HTTPS, there is no MITM attacks and firmware auto upgrade is safe in any case. HTTPS SSL already uses SHA256 or higher depending on server config, so why have double encryption? If the user uploads a fimrware file own their own, without the auto upgrade, then it’s up to them to make sure the file was downloaded from the correct source and not modified. There is no vulnerability there, or insecurities.