What kind of risk profile does one have when it is likely that both the password is known and malware has been installed on the phone, but also just access to an ephemeral login session by the attacker (which could be obtained even when using a secure enclave by waiting for the user to authenticate by themselves) would not be enough?

> password is known

What password?

This is the exact same as DigiD, except that there is no cost per-auth, only per-sms. The parent comment is saying that Amsterdam wanted the users to install the DigiD app instead of relying on SMS authentication.

> recently iOS started using it although I don't know what server they attach to.

According to Wikipedia, only the carrier's RCS server is used [1]

[1]: https://en.wikipedia.org/wiki/Rich_Communication_Services#So...

All of the major carriers use Google Jibe as their RCS backend anyway though, so it's pretty irrelevant.

HTTP/3 even more so due to QUIC's shorter handshake process.

For fun I suppose? See: esoteric programming languages

Why shoud we suppose if the author himself can give us an authoritative answer?

It's very obvious.

> This addresses one of the longest standing complaints about SQL, and the DuckDB team implemented it in 2 days.

what a weird thing to say.

True, because with such decision the question is not whether it's possible to implement, but whether it's a good decision to do it.

no

Are you sure? I think the computed tab in Chrome devtools shows the actual used font.

Yup if you scroll to the bottom of the Computed tab, it shows the "Rendered Fonts".

Why is that?