Hi Dmitry, Upstream doesn't have any update for these 3 CVE for more than 2 weeks(after the CVE published).
So I'm afraid that rkt is longer maintained, with 2 other concerns: 1. Most commits since 2019 are about typo/documents. 2. Coreos(the company who creates rkt) has been acquired by RedHat. And RedHat has more interests in other container related tools, like podman. Although rkt is now hosted by CNCF, but it doesn't attract more contributors. So I would suggest we remove rkt from buster. -- Shengjing Zhu
