908da75 (#322) added setuptools as a dependency in this package. However, the pip-tools package that's commonly used for pinning dependencies considers setuptools an unsafe dependency to have in a project at all (as discussed in #492), and as such doesn't save it in the pinned requirements file at all.

Since google-auth depends on Setuptools but a version couldn't have been pinned in the requirements, we're seeing

Collecting setuptools>=40.3.0 (from google-auth==1.19.1->our-proprietary-package==0.31.1)
  Downloading https://files.pythonhosted.org/packages/b0/8b/379494d7dbd3854aa7b85b216cb0af54edcb7fce7d086ba3e35522a713cf/setuptools-50.0.0-py3-none-any.whl (783kB)

which wreaks havoc on Ubuntu 16.04 + Python 3.5 machines due to pypa/setuptools#2352 / https://github.com/pypa/setuptools/issues/2350 / pypa/setuptools#2356 ...

The workaround is to add --allow-unsafe or manually pin setuptools, but is the requirement actually necessary in this package? No other package in the 48-line requirements.txt for this particular project would have required a version of setuptools.

Environment details

• OS: Ubuntu 16.04
• Python version: 3.5
• pip version: irrelevant
• google-auth version: 1.19.1

Steps to reproduce

1. Install google-auth on an Ubuntu 16.04 machine
2. It installs setuptools==50.0.0
3. SystemError: Parent module 'setuptools' not loaded, cannot perform relative import with setuptools 50 pypa/setuptools#2352 and friends