With the upcoming ntopng, will ntop upstream still provide security support for previous ntop releases (i.e to version 5.0 which is in testing) ?
If upstream is *not* going to provide security support for ntop then it would be best to not distribute it and just add the information in the Release Notes.
Unless you, as maintainer, are going to commit to provide support for it.
If you request the package removal the I would also suggest to ask *all* bug submitters to review if their bugs apply also to ntopng (the code base is similar) and duplicate+reassign the bugs there too. Otherwise many of the open bugs (not addressed in ntop, but forwarded upstream) will get lost with the package removal.
Should I just request the removal of ntop instead?If you do this, users will upgrade their Debian system and will not be aware that ntop is obsolete and will have to replace it. (unless they look in aptitude for 'Obsolete' packages).
FWIW, IMHO, the NEWS file I suggest should have been provided in ntop as soon as the move to ntopng was evident (¿2013?). That way users should have been given ample warning time.