diff --git a/roles/environment/tasks/main.yml b/roles/environment/tasks/main.yml
index 521315b..e571bdb 100644
--- a/roles/environment/tasks/main.yml
+++ b/roles/environment/tasks/main.yml
@@ -205,6 +205,10 @@
                 opts: "ro,loop"
                 state: mounted
 
+        # Security note: RPM Sequoia signature policy is relaxed to allow
+        # bootstrapping RHEL-family distros from the Arch ISO, where the
+        # host rpm/dnf does not trust target distro GPG keys. Package
+        # integrity is verified by the target system's own rpm after reboot.
         - name: Relax RPM Sequoia signature policy for RHEL bootstrap
           when: is_rhel | bool
           ansible.builtin.copy: