[fix] Restrict package index search path

Restrict package index search_path to buildout:extra-paths value.
Without this, setting an empty extra-paths has been observed to
cause package index lookup to crash when finding an already
installed distribution in sys.path that matches the request, but
is not installable (as it is already installed, e.g. it's not a
.tar.gz or .whl or some such expected distribution format)

Maybe package index search_path should simply always be empty?
It does not seem to make much sense to look for installable
distributions on sys.path, in fact it seems accidental.

src/zc/buildout/easy_install.py

@@ -157,7 +157,12 @@ class AllowHostsPackageIndex(setuptools.package_index.PackageIndex):
 
 _indexes = {}
 def _get_index(index_url, find_links, allow_hosts=('*',)):
-    key = index_url, tuple(find_links), allow_hosts
+    # XXX Maybe search_path should always be empty. Why scan sys.path
+    # by default in the package index? This seems like an unindented
+    # artifact of the fact that package_index.PackageIndex inherits
+    # from pkg_resources.Environment.
+    search_path = extra_paths()
+    key = index_url, tuple(find_links), allow_hosts, tuple(search_path)
     index = _indexes.get(key)
     if index is not None:
         return index
@@ -166,7 +171,11 @@ def _get_index(index_url, find_links, allow_hosts=('*',)):
         index_url = default_index_url
     if index_url.startswith('file://'):
         index_url = index_url[7:]
-    index = AllowHostsPackageIndex(index_url, hosts=allow_hosts)
+    index = AllowHostsPackageIndex(
+      index_url,
+      hosts=allow_hosts,
+      search_path=search_path, # Do not scan beyound extra-paths
+      )
 
     if find_links:
         index.add_find_links(find_links)