What is the opinion of the maintainer? @ragnard @steveej

Also @NeQuissimus who did maintenance on the package.

All I can say is that I stopped using it :)
I would suggest keeping it around for a little while longer to see if any other entity takes over the repo. But if not, we should make sure this has been deleted for NixOS 20.09

I don't know what the policy says about packages which are unmaintained upstream. If there's no policy I suggest establishing one so these decisions are covered in the future. Personally I agree with @volth that it seems premature to removing it now. Maybe wait 2 more months?

On the other hand, if the software still works, has users and doesn't have glaring security vulnerabilities, I don't think there's a problem with not removing it.

It seems that last year the CNCF archived it and Gentoo removed it because of security issues and an inactive upstream.

https://bugs.gentoo.org/687100
cncf/toc#262
https://www.cncf.io/blog/2019/08/16/cncf-archives-the-rkt-project/
rkt/rkt#3999
https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/

That sounds like reason enough to remove it pretty soon

It is only 1 month since the commercial team ceased work on it.

The note in the ticket about dismantlement of the official team was a quotation from summer. They declared end now because "community" hasn't picked it up since then.

As there are those CVEs, an alternative is to just use meta.knownVulnerabilities for now 🤷‍♂️

just use meta.knownVulnerabilities for now

Opened #82023

I backported the cve list to 19.09 and 20.03 as well.

This issue is handled as discussed by #82023. Might as well close this, and revisit for 20.09.

We can also just keep this open for 20.09 as a milestone.

Are there any news about a new fork of rkt?

I couldn't find anything.

Also added a comment to the release notes for 2009.