> Yes - I do expect you to be able to build just the validated source
independently of the rest of the tarball so that you could (for example) run the
latest main OpenSSL version but with an older module.
Which means that this doesn't have to happen in the first release since there's only one runtime that works with the one FIPS module.