Using a virtualenv is a bit of a tricky compromise, because it means that while we benefit from security updates in the OS-packaged versions, updates can also break compatibility with the pip installed packages. I'd like to make sure we really spell out this rationale in detail compared to say not using --system-site-packages or using all OS-installed packages on compatible operating systems.