diff --git a/pkgs/additional/bunpen/restrict/namespace.ha b/pkgs/additional/bunpen/restrict/namespace.ha
index 5c3cba9ff..08a86c0fc 100644
--- a/pkgs/additional/bunpen/restrict/namespace.ha
+++ b/pkgs/additional/bunpen/restrict/namespace.ha
@@ -153,7 +153,9 @@ fn bind_leaf(old_fs: *fs::fs, new_fs: *fs::fs, user_path: *path::buffer) void =
     };
   };
 
-  // and now, perform the actual bind:
+  // and now, perform the actual bind mount:
+  // XXX: if the thing being mounted over is a symlink, the `mount` syscall will FAIL
+  // (and be swallowed). that's GOOD; we don't want to mount over a symlink.
   let old_pathbuf = match (path::init("old", path_str)) {
     case let e: path::error =>
       log::printfln("[namespace] unable to construct old path for binding {}: {}", path_str, path::strerror(e));