[BUG] importlib_load_entry_point of EASY-INSTALL-ENTRY-SCRIPT in easy_install.py does not respect version requirement

[hartwork]

setuptools version

setuptools==56.0.0

Python version

Python 3.7 (and all others)

OS

Linux (and all others)

Additional environment information

Needs importlib_metadata installed (version 3.8.2 for me) so that code from importlib_metadata import distribution succeeds and that globals().setdefault('load_entry_point', importlib_load_entry_point) activates the shipped importlib_load_entry_point function.

Description

Hi!

The current code for importlib_load_entry_point at

setuptools/setuptools/command/easy_install.py

Lines 2062 to 2069 in be0f7f5

	def importlib_load_entry_point(spec, group, name):
	dist_name, _, _ = spec.partition('==')
	matches = (
	entry_point
	for entry_point in distribution(dist_name).entry_points
	if entry_point.group == group and entry_point.name == name
	)
	return next(matches).load()

does not enforce the version requirement, i.e. when requesting python-dotenv==0.17.0 this will serve python-dotenv==0.16.0 to me happily and without complaining. That seems unfortunate. Is that intended and does it have to be like that? Else, what do you think about a fix along these lines?:

diff --git a/setuptools/command/easy_install.py b/setuptools/command/easy_install.py
index 45adb6a..a09bfad 100644
--- a/setuptools/command/easy_install.py
+++ b/setuptools/command/easy_install.py
@@ -2060,10 +2060,13 @@ class ScriptWriter:
 
 
         def importlib_load_entry_point(spec, group, name):
-            dist_name, _, _ = spec.partition('==')
+            dist_name, _, dist_version = spec.partition('==')
+            dist = distribution(dist_name)
+            if dist.version != dist_version:
+                raise StopIteration  # just to match "next(matches)" below
             matches = (
                 entry_point
-                for entry_point in distribution(dist_name).entry_points
+                for entry_point in dist.entry_points
                 if entry_point.group == group and entry_point.name == name
             )
             return next(matches).load()

Thanks and best, Sebastian

Expected behavior

importlib_load_entry_point('python-dotenv==0.17.0', 'console_scripts', 'dotenv') rejects 0.16.0 and raises an exception.

If it turns out needed and intended to ignore version requirements at that place, a comment about why that is in the code would go a long way.

How to Reproduce

Take any existing easy-install script, make a copy, install a different version of the related software, run the script, see it work while expecting failure.

Output

Code of Conduct

• I agree to follow the PSF Code of Conduct

[hartwork]

Any thoughts?

[hartwork]

Anyone?

[hartwork]

Any thoughts?