diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index 0e71333224..d95d3cf79a 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -10,8 +10,16 @@
 # Catalyst 4 is not stable yet, but earlier versions are masked now.
 dev-util/catalyst ~amd64 ~arm64
 
+# Handled by automation
 =app-containers/containerd-1.7.19 ~amd64 ~arm64 # DO NOT EDIT THIS LINE. Added by containerd-apply-patch.sh on 2024-07-05 08:17:23
+
+# Handled by automation?
 =app-containers/cri-tools-1.27.0 ~amd64 ~arm64
+
+# These seem to be the versions we initially got, but the
+# modifications made to the ebuilds were clobbered, so these are here
+# to keep using the same version. Can be dropped when these or newer
+# get stabilized in Gentoo.
 =app-containers/podman-5.0.2 ~amd64 ~arm64
 =app-containers/runc-1.1.13 ~amd64 ~arm64
 
@@ -48,22 +56,22 @@ dev-util/catalyst ~amd64 ~arm64
 # Needed by arm64-native SDK.
 =dev-lang/yasm-1.3.0-r1 ~arm64
 
+# Keep versions on both arches in sync.
+=dev-libs/ding-libs-0.6.2-r1 ~arm64
+
 # Needed to fix CVE-2023-52425 and CVE-2024-28757.
 =dev-libs/expat-2.6.2 ~amd64 ~arm64
 
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/jose-12 **
 
-# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
-=dev-libs/luksmeta-9-r1 **
-
-# Keep versions on both arches in sync.
-=dev-libs/ding-libs-0.6.2-r1 ~arm64
-
 # Needed to fix a build issue introduced by a wrong change in an older
 # version of the ebuild.
 =dev-libs/libdnet-1.16.4 ~arm64
 
+# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
+=dev-libs/luksmeta-9-r1 **
+
 # Keep versions on both arches in sync.
 =dev-libs/libp11-0.4.12-r6 ~arm64
 =dev-libs/opensc-0.24.0 ~arm64
@@ -104,6 +112,9 @@ dev-util/catalyst ~amd64 ~arm64
 
 sys-apps/zram-generator ~amd64 ~arm64
 
+# Upgrade to latest version for secureboot
+=sys-boot/mokutil-0.6.0 ~amd64
+
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
@@ -114,12 +125,12 @@ sys-apps/zram-generator ~amd64 ~arm64
 # CVE-2023-39368 and CVE-2023-43490.
 =sys-firmware/intel-microcode-20240312_p20240312 ~amd64
 
-# Needed to fix CVE-2023-29491.
-=sys-libs/ncurses-6.4_p20230527 ~amd64 ~arm64
-
 # Keep versions on both arches in sync.
 =sys-libs/libnvme-1.9 ~arm64
 
+# Needed to fix CVE-2023-29491.
+=sys-libs/ncurses-6.4_p20230527 ~amd64 ~arm64
+
 # A dependency of app-shells/bash version that we need for security
 # fixes.
 =sys-libs/readline-8.2_p10 ~amd64 ~arm64
@@ -129,6 +140,3 @@ sys-apps/zram-generator ~amd64 ~arm64
 
 # Accept unstable host Rust compilers.
 =virtual/rust-1.79.0 ~amd64 ~arm64
-
-# Upgrade to latest version for secureboot
-=sys-boot/mokutil-0.6.0 ~amd64