diff --git a/aes-decrypt-internal.c b/aes-decrypt-internal.c
index abb78de0f816da75955eeeb471f94ce09df6427b..9dff1660529b1d7359cc37ae947b0c7199bb8791 100644
--- a/aes-decrypt-internal.c
+++ b/aes-decrypt-internal.c
@@ -59,9 +59,9 @@ _nettle_aes_decrypt(const struct aes_ctx *ctx,
 	  t2 = AES_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]);
 	  t3 = AES_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]);
 
-	  /* FIXME: We could unrolling the loop twice, to avoid these
-	     assignments. If all eight variables fit in registers, that
-	     should give a speedup. */
+	  /* We could unroll the loop twice, to avoid these
+	     assignments. If all eight variables fit in registers,
+	     that should give a slight speedup. */
 	  w0 = t0;
 	  w1 = t1;
 	  w2 = t2;
diff --git a/aes-encrypt-internal.c b/aes-encrypt-internal.c
index ca1d803d0bfe0368447ac0df2f507ceba359ec1c..84ed6cff7a1603dd0aa1bb95ee87d28a31b68ad0 100644
--- a/aes-encrypt-internal.c
+++ b/aes-encrypt-internal.c
@@ -59,9 +59,9 @@ _nettle_aes_encrypt(const struct aes_ctx *ctx,
 	  t2 = AES_ROUND(T, w2, w3, w0, w1, ctx->keys[4*round + 2]);
 	  t3 = AES_ROUND(T, w3, w0, w1, w2, ctx->keys[4*round + 3]);
 
-	  /* FIXME: We could unrolling the loop twice, to avoid these
-	     assignments. If all eight variables fit in registers, that
-	     should give a speedup. */
+	  /* We could unroll the loop twice, to avoid these
+	     assignments. If all eight variables fit in registers,
+	     that should give a slight speedup. */
 	  w0 = t0;
 	  w1 = t1;
 	  w2 = t2;
diff --git a/aes-internal.h b/aes-internal.h
index dda43d0edb7505011d8c8bf867cfc6a6d9a3890d..a1e8d02219ae1f7c35c297101fa5b200be7d29ed 100644
--- a/aes-internal.h
+++ b/aes-internal.h
@@ -33,7 +33,7 @@
 #define _aes_decrypt _nettle_aes_decrypt
 #define _aes_encrypt_table _nettle_aes_encrypt_table
 
-/* Define to use only small tables. FIXME: Currently not working. */
+/* Define to use only small tables. */
 #ifndef AES_SMALL
 # define AES_SMALL 0
 #endif
diff --git a/arctwo.h b/arctwo.h
index fa1360de52fdbe11b0f72ab63e5be46e289cdbbf..cf3c96d19593b6bb3cbf453277802824ef8f6d2a 100644
--- a/arctwo.h
+++ b/arctwo.h
@@ -64,8 +64,6 @@ void
 arctwo_set_key (struct arctwo_ctx *ctx, unsigned length, const uint8_t *key);
 
 /* Equvivalent to arctwo_set_key_ekb, with ekb = 1024 */
-/* FIXME: Is this function really needed, and if so, what's the right
-   name for it? */
 void
 arctwo_set_key_gutmann (struct arctwo_ctx *ctx,
 			unsigned length, const uint8_t *key);
diff --git a/base16-decode.c b/base16-decode.c
index a76d0fe294d6ba4cefcf5ff7a8869a9c93bb5593..2689411a2e6a321f25cbe1a01a4c0625c22bf5e2 100644
--- a/base16-decode.c
+++ b/base16-decode.c
@@ -65,7 +65,6 @@ base16_decode_single(struct base16_decode_ctx *ctx,
   if (src >= 0x80)
     return -1;
 
-  /* FIXME: This code could use more clever choices of constants. */
   digit = hex_decode_table[src];
   switch (digit)
     {
diff --git a/base16-encode.c b/base16-encode.c
index bc95bc9007c4d5f29b980f872a0167097b1e24a1..b2267ab0d05be5ba380e21c50850e7a8505a57c0 100644
--- a/base16-encode.c
+++ b/base16-encode.c
@@ -35,7 +35,6 @@ hex_digits[16] = "0123456789abcdef";
 
 #define DIGIT(x) (hex_digits[(x) & 0xf])
 
-/* FIXME: Is this really needed? */
 /* Encodes a single byte. Always stores two digits in dst[0] and dst[1]. */
 void
 base16_encode_single(uint8_t *dst,
diff --git a/base16.h b/base16.h
index 967da4d1ab38dd3aae8cef12c3ac41349e6d9297..960ce775ed65d87cf59347c606e5f3c83ab8f5e3 100644
--- a/base16.h
+++ b/base16.h
@@ -86,8 +86,8 @@ base16_decode_single(struct base16_decode_ctx *ctx,
  * area before the call. *DST_LENGTH is updated to the amount of
  * decoded output. */
 
-/* FIXME: Currently results in an assertion failure if *DST_LENGTH is
- * too small. Return some error instead? */
+/* Currently results in an assertion failure if *DST_LENGTH is
+ * too small. FIXME: Return some error instead? */
 int
 base16_decode_update(struct base16_decode_ctx *ctx,
 		     unsigned *dst_length,
diff --git a/base64.h b/base64.h
index 279dff992a0221571a1bbab6fae195473d3dadb7..2be186530b0cecb240bc6e814fc4a002a32e8c6d 100644
--- a/base64.h
+++ b/base64.h
@@ -133,8 +133,8 @@ base64_decode_single(struct base64_decode_ctx *ctx,
  * area before the call. *DST_LENGTH is updated to the amount of
  * decoded output. */
 
-/* FIXME: Currently results in an assertion failure if *DST_LENGTH is
- * too small. Return some error instead? */
+/* Currently results in an assertion failure if *DST_LENGTH is
+ * too small. FIXME: Return some error instead? */
 int
 base64_decode_update(struct base64_decode_ctx *ctx,
 		     unsigned *dst_length,
diff --git a/bignum-random.c b/bignum-random.c
index 16029216b404b704f70f6459f5c272e5d8bb7c0e..6653dea375e321730594c847c1d8a8a94b1b5765 100644
--- a/bignum-random.c
+++ b/bignum-random.c
@@ -57,8 +57,8 @@ nettle_mpz_random(mpz_t x,
 		  void *ctx, nettle_random_func random,
 		  const mpz_t n)
 {
-  /* FIXME: This leaves some bias, which may be bad for DSA. A better
-   * way might to generate a random number of mpz_sizeinbase(n, 2)
+  /* NOTE: This leaves some bias, which may be bad for DSA. A better
+   * way might be to generate a random number of mpz_sizeinbase(n, 2)
    * bits, and loop until one smaller than n is found. */
 
   /* From Daniel Bleichenbacher (via coderpunks):
diff --git a/bignum.c b/bignum.c
index 04a7920dc4febd960aad4596e3470b9530c9aae5..e73f6190bf528b8b29b0fa0696661cf598e8b575 100644
--- a/bignum.c
+++ b/bignum.c
@@ -120,9 +120,6 @@ nettle_mpz_get_str_256(unsigned length, uint8_t *s, const mpz_t x)
       mpz_init(c);
       mpz_com(c, x);
 
-      /* FIXME: A different trick is to complement all the limbs of c
-       * now. That way, nettle_mpz_to_octets need not complement each
-       * digit. */
       assert(nettle_mpz_sizeinbase_256_u(c) <= length);
       nettle_mpz_to_octets(length, s, c, 0xff);
 
diff --git a/bignum.h b/bignum.h
index 97da817185f6687cf317f720de587f25ce27a77c..14d0fc62da56da0e43edd5ade907af9414211a39 100644
--- a/bignum.h
+++ b/bignum.h
@@ -46,7 +46,6 @@ nettle_mpz_sizeinbase_256_u(const mpz_t x);
 
 /* Writes an integer as length octets, using big endian byte order,
  * and two's complement for negative numbers. */
-/* FIXME: Change order of arguments, putting the mpz_t first? */
 void
 nettle_mpz_get_str_256(unsigned length, uint8_t *s, const mpz_t x);
 
diff --git a/rsa-sign.c b/rsa-sign.c
index 4be75cdabefd291479b629d1396bfce8158d1acf..aa407caa104dab2fbf63488a23c8f19a953251b5 100644
--- a/rsa-sign.c
+++ b/rsa-sign.c
@@ -60,8 +60,6 @@ rsa_private_key_clear(struct rsa_private_key *key)
 int
 rsa_private_key_prepare(struct rsa_private_key *key)
 {
-  /* FIXME: Add further sanity checks. */
-
   mpz_t n;
   
   /* The size of the product is the sum of the sizes of the factors,
diff --git a/rsa-verify.c b/rsa-verify.c
index 734eb80d05935bc81a3210f13d7240da7f35efff..2e3b52f5d1baafc0535aba0d36da470c67e4f994 100644
--- a/rsa-verify.c
+++ b/rsa-verify.c
@@ -48,7 +48,6 @@ _rsa_verify(const struct rsa_public_key *key,
   
   mpz_powm(m1, s, key->e, key->n);
 
-  /* FIXME: Is it cheaper to convert m1 to a string and check that? */
   res = !mpz_cmp(m, m1);
 
   mpz_clear(m1);
diff --git a/rsa.c b/rsa.c
index 74b1370af75f1e1b1967bc38b8c641e681f5851e..ae20421e89e7cb1ce7d3ee6b5556e24ee3305998 100644
--- a/rsa.c
+++ b/rsa.c
@@ -67,13 +67,6 @@ _rsa_check_size(mpz_t n)
 int
 rsa_public_key_prepare(struct rsa_public_key *key)
 {
-  /* FIXME: Add further sanity checks, like 0 < e < n. */
-#if 0
-  if ( (mpz_sgn(key->e) <= 0)
-       || mpz_cmp(key->e, key->n) >= 0)
-    return 0;
-#endif
-  
   key->size = _rsa_check_size(key->n);
   
   return (key->size > 0);
diff --git a/rsa.h b/rsa.h
index 70d8b136c3571ae91e92d0118be914327a2d1dfa..dbdace22a14ebf64b9d338e2ae3cba2c8097eb58 100644
--- a/rsa.h
+++ b/rsa.h
@@ -227,8 +227,8 @@ rsa_sha256_verify_digest(const struct rsa_public_key *key,
 
 
 /* RSA encryption, using PKCS#1 */
-/* FIXME: These functions uses the v1.5 padding. What should the v2
- * (OAEP) functions be called? */
+/* These functions uses the v1.5 padding. What should the v2 (OAEP)
+ * functions be called? */
 
 /* Returns 1 on success, 0 on failure, which happens if the
  * message is too long for the key. */
diff --git a/sexp-transport-format.c b/sexp-transport-format.c
index c8ac89cd4d819d6b1907cc1e035169d09c2bdc53..db4b193472c0cd7537ffc79fd245fdc296272e6f 100644
--- a/sexp-transport-format.c
+++ b/sexp-transport-format.c
@@ -57,9 +57,6 @@ sexp_transport_vformat(struct nettle_buffer *buffer,
 
   if (buffer)
     {
-      /* FIXME: This assumes that data is never removed from the
-       * buffer. That works for the current buffer, but it would be
-       * nice to get rid of this restriction. */
       if (!nettle_buffer_space(buffer, base64_length - length))
 	return 0;
 
diff --git a/sexp.c b/sexp.c
index b1dfd2e03db8ba24bb8d357342c009b007c45a76..77b357735377217110f5731be73982a105f3a73c 100644
--- a/sexp.c
+++ b/sexp.c
@@ -50,9 +50,6 @@ sexp_iterator_init(struct sexp_iterator *iterator,
   iterator->display = NULL;
   iterator->atom_length = 0;
   iterator->atom = NULL;
-
-  /* FIXME: For other than canonical syntax,
-   * skip white space here. */
 }
 
 #define EMPTY(i) ((i)->pos == (i)->length)
diff --git a/sexp.h b/sexp.h
index d8b39bf51218553eb291d87c7be90cc83b98f6b8..53a90a14d6ef17e3d96839b8273dc899478362b1 100644
--- a/sexp.h
+++ b/sexp.h
@@ -191,9 +191,6 @@ unsigned
 sexp_vformat(struct nettle_buffer *buffer,
 	     const char *format, va_list args);
 
-/* FIXME: Add argument LINE_WIDTH. If non-zero, break lines to at most
- * that width. */
-
 unsigned
 sexp_transport_format(struct nettle_buffer *buffer,
 		      const char *format, ...);