Well in ten years I have never had a nuked server by pip or virtualenv. I am sure there are edge cases but that must be true for all the ways of deploying stuff. I guess the ones you know well appear simple to you !

I've had a production server be hosed by running 'letsencrypt-auto'. My bad I guess but still, that's one that I really did not see coming.

I kind of agree with both of you. I don't think Python deployment is that bad, as most modern managers get it right (I prefer Poetry nowadays). However something like letsencrypt-auto, which AFAIK installs its own dependencies, is not something I'd run. I've actually never used it precisely because it's too magical. Programs shouldn't install their own dependencies anywhere outside of a virtualenv.

Does certbot do the same ? I don’t use either so I can’t tell.

I strongly agree that any python program must install its dependencies in a virtualenv. One could even argue that this principle could be extended to any software !

Have you heard of our Lord and Savior pipx? Solves the python tool isolation issue nicely.

I haven't used it, I use virtualfish which does a great job as well.

Virtualfish is new to me, will check it out thanks.

And it turned out that pipx wasn't what I thought it was, so thank you as well! Though virtualfish is only useful if you use the fish shell.