commit aa6a989 (19.03 branch) and #40672 (master / 20.10) re-introduced a local copy of go's archive/tar package, with a patch applied patches/0001-archive-tar-do-not-populate-user-group-names.patch.

This patch was applied for the 19.03.8 release to improve mitigation for CVE-2019-14271 for some nscd configuration.

We should try to get rid of this fork again.

The discussion on #40672 (comment) mentioned we should open a ticket / pull request in upstream Go to make this functionality "optional", but I think @tonistiigi also had alternatives in mind to address it.