diff --git a/portlist/portlist_linux.go b/portlist/portlist_linux.go
index 0400be203..ab7d3b98b 100644
--- a/portlist/portlist_linux.go
+++ b/portlist/portlist_linux.go
@@ -25,8 +25,6 @@ import (
 // Reading the sockfiles on Linux is very fast, so we can do it often.
 const pollInterval = 1 * time.Second
 
-// TODO(apenwarr): Include IPv6 ports eventually.
-// Right now we don't route IPv6 anyway so it's better to exclude them.
 var sockfiles = []string{"/proc/net/tcp", "/proc/net/tcp6", "/proc/net/udp", "/proc/net/udp6"}
 
 var sawProcNetPermissionErr syncs.AtomicBool
diff --git a/portlist/portlist_macos.go b/portlist/portlist_macos.go
index 2d0010401..1f253a351 100644
--- a/portlist/portlist_macos.go
+++ b/portlist/portlist_macos.go
@@ -33,8 +33,9 @@ var lsofFailed int64 // atomic bool
 // However, "netstat -na" runs ~100x faster than lsof on my machine, so
 // we should do it only if the list of open ports has actually changed.
 //
-// TODO(apenwarr): this fails in a macOS sandbox (ie. our usual case).
-// We might as well just delete this code if we can't find a solution.
+// This fails in a macOS sandbox (i.e. in the Mac App Store or System
+// Extension GUI build), but does at least work in the
+// tailscaled-on-macos mode.
 func addProcesses(pl []Port) ([]Port, error) {
 	if atomic.LoadInt64(&lsofFailed) != 0 {
 		// This previously failed in the macOS sandbox, so don't try again.