Can you add a idtools_deprecated_unix.go file with aliases for the exported functions, and deprecate those, or won't that work due to a circular import in that case? (we might still be able to after idtools is moved to a separate module.

// LoadIdentityMapping takes a requested username and
// using the data from /etc/sub{uid,gid} ranges, creates the
// proper uid and gid remapping ranges for that user/group pair.
//
// Deprecated: this function was only used internally and will be removed in the next release.
func LoadIdentityMapping(name string) (IdentityMapping, error) {
	return usergroup. LoadIdentityMapping(name)
}

Can add back later if we need. Who is that deprecation message for though? I think we could have documentation about what is breaking with each release but if we require stretching every refactor to a two release cycle then we won't it will make doing all the valuable way more time consuming. IMO we are already doing major version bumps and we should cleanup as much as we can in v28, switch to go.mod, then actually semver the go sdk.

Who is that deprecation message for though?

Always hard to tell.

The Deprecated annotations are effectively the documentation here, and those are picked up by linters and IDEs, so help users find their replacement. Updating references is not always under control by the user, because go modules may force them to use dependencies that perhaps have not yet switched over. We for sure won't be able to do this for all changes, but if it's only adding a file with aliases, that's not a ton of things to maintain, and can go a long way not having to deal with the aftermath.

☝️ OK: identified at least one; BuildKit breaks because of this;

0.137 + xx-go build '-gcflags=' -ldflags '-X github.com/moby/buildkit/version.Version=v0.18.0-55-g80600495c -X github.com/moby/buildkit/version.Revision=80600495cbc8c0c439d71fc77f146cb26fabcfa5 -X github.com/moby/buildkit/version.Package=github.com/moby/buildkit -extldflags '"'"'-static'"'" -tags 'osusergo netgo static_build seccomp ' -o /usr/bin/buildkitd ./cmd/buildkitd
71.51 # github.com/moby/buildkit/cmd/buildkitd
71.51 cmd/buildkitd/util_linux.go:25:27: undefined: idtools.LoadIdentityMapping

• see vendor: github.com/docker/docker, github.com/docker/cli v28.0.0-rc.1 buildkit#5602 (comment)

I went looking if the system.MkdirAll was needed at all anywhere (for the special handling of windows GUID volume paths), and it looks like it's no longer needed since go1.22, so I opened a PR to deprecate it, and remove its use;

• pkg/system: deprecate MkdirAll and remove custom volume GUID handling #49162

☝️ this was the last use go pkg/system in BuildKit, so removing this line makes BuildKit no longer depend on it.

Did a quick rebase after that one was merged

Had to double-check this one, because the first filter was matching numeric Uid with SubID.Name, but looks like moby/sys/user does the same, and checking the man-page; https://man7.org/linux/man-pages/man5/subuid.5.html

Each line in /etc/subuid contains a user name and a range of
subordinate user ids that user is allowed to use. This is
specified with three fields delimited by colons (“:”). These
fields are:

• login name or UID
• numerical subordinate user ID
• numerical subordinate user ID count

One thing we could do is to take the same approach as is used there, and to combine them to a single filter;