diff --git a/deny.toml b/deny.toml
index 57416fd..ab1af04 100644
--- a/deny.toml
+++ b/deny.toml
@@ -96,13 +96,14 @@ ignore = [
 
 # DO NOT ADD
 # - "BSD-4-Clause": GPL incompatible
+# - "OpenSSL": GPL incompatible
+# - "GPL-2.0": GPL3 incompatible
 allow = [
   "MIT",
   "Apache-2.0",
   "ISC",
   "Unicode-DFS-2016",
   "BSD-3-Clause",
-  #"Apache-2.0 WITH LLVM-exception",
 ]
 # The confidence threshold for detecting a license from license text.
 # The higher the value, the more closely the license text must be to the
@@ -116,11 +117,16 @@ exceptions = [
   # list
   #{ allow = ["Zlib"], crate = "adler32" },
 
-  # We give an exception for ring, since the rust ecosystem heavily relies on
-  # it. This is not GPL-compatible, we are only making this exception because
-  # ring is working on fixing this.
+  # NOTE: We give an exception for ring, since the rust ecosystem heavily
+  # relies on it. This is not GPL-compatible, we are only making this exception
+  # because ring is working on fixing this.
   #
-  # See: https://cafkafk.dev/p/rusts-ring-problem/
+  # EUPL-1.2 works with all BSD licenses, including BSD-4-Clause, which is what
+  # the old OpenSSL is equivalent to.
+  #
+  # Us making this exception should be considered... well, exceptional, and
+  # only because we absolutely need it. All other crates MUST be
+  # GPL-compatible.
   { allow = ["OpenSSL"], crate = "ring" },
 ]