[figbert]

If I'm understanding correctly, this basically just kicks the ball a little further down the road...

You shouldn't use pip directly because you don't know which version is the one in your path. Ok: the same applies to the python command?

Calling pip is version ambiguous, but so is calling python.

[remram]

Yeah if your Linux distro comes with python, python2, python3.7, and python3.8... then you almost certainly have the matching pip, pip2, pip3.7, and pip3.8. If you activate a virtualenv, that will override Python and python3 but also pip and pip3.

The only situations where I've encountered breakage is pydoc (because your virtualenv does not necessarily have its own pydoc, contrary to having pip) and calling pip from a Jupyter notebook: the current kernel's virtualenv is not necessarily activated (the solution is the %pip magic or `!{sys.executable} -m pip` since `!python` would have the same issue).

[dmurray]

If there's an executable file named "python" in your current directory, typing "python" in your shell won't in general execute that file. You need to add the current directory to your PATH, or to run it explicitly with something like "./python". This is different from the behavior with "python -m modulename".

So this security concern applies when you trust your shell and all the directories in your PATH, but you don't trust the contents of the current directory. That's not the norm, but it's quite a common situation to be in - you downloaded some files but don't intend to execute them.

This is (used to be at least) different on Windows: typing "python" risks executing a file in the current directory called "python.exe", though maybe UAC saves you now.

[xigoi]

Any sane system package manager will ensure that pip corresponds to python, pip2 corresponds to python2, …

[bcbrown]

It may be an ambiguous version, but it'll be the same version as the repl you get when you type `python`, and it'll be the same version that'll run your script when you type `python script.py`.

[pseudalopex]

They used version numbers in the examples except upgrading pip on Windows. They even used the full path in the 1st example.