diff --git a/dom0/securedrop-update b/dom0/securedrop-update
index 55cf40cf..f5ecc59b 100755
--- a/dom0/securedrop-update
+++ b/dom0/securedrop-update
@@ -28,6 +28,9 @@ function securedrop-update-feedback() {
         '$msg'"
 }
 
+# `qubesctl pkg.upgrade` will automatically update dom0 packages, as well,
+# but we *first* want the freshest RPMs from dom0, *then* we'll want to
+# update the VMs themselves.
 securedrop-update-feedback "SecureDrop: Updating dom0 configuration..."
 sudo qubes-dom0-update -y
 
@@ -36,4 +39,8 @@ qubesctl --templates \
     --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
     pkg.upgrade refresh=true
 
+# Here would be a good place for state.highstate, to re-apply the VM configs.
+# Let's first make sure the package upgrade logic is stable, we can circle
+# back to enforce the Salt configs regularly.
+
 securedrop-update-feedback "SecureDrop: All updates complete!"