Do not allow setuptools to obtain eggs, unless picked versions are allowed

src/zc/buildout/easy_install.py

@@ -290,6 +290,17 @@ def _execute_permission():
 
 
 _easy_install_cmd = 'from setuptools.command.easy_install import main; main()'
+_easy_install_cmd_no_install_setup_requires = """\
+from setuptools import sandbox
+from contextlib import contextmanager
+def setup_context(*args):
+  with sandbox_setup_context(*args):
+    from pkg_resources import Environment
+    Environment.obtain = lambda *_: None
+    yield
+sandbox_setup_context = sandbox.setup_context
+sandbox.setup_context = contextmanager(setup_context)
+""" + _easy_install_cmd
 
 _doing_list = type('', (), {'__mod__': staticmethod(
     lambda x: '\n    '.join(*x))})()
@@ -470,8 +481,10 @@ class Installer:
                 path_list += extra_path.split(os.pathsep)
 
             args = [sys.executable, '-c',
-                    ('import sys; sys.path[0:0] = %r; ' % path_list) +
-                    _easy_install_cmd, '-mZUNxd', tmp]
+                    'import sys; sys.path[0:0] = %r; ' % path_list + (
+                        _easy_install_cmd if self._allow_picked_versions else
+                        _easy_install_cmd_no_install_setup_requires),
+                    '-mZUNxd', tmp]
             level = logger.getEffectiveLevel()
             if level > 0:
                 args.append('-q')