Code review comment for ~ahasenack/ubuntu/+source/ubuntu-advantage-tools:v17-fips-updates

We were not able to anticipate which fips modules a customer wants, so the enable-fips installs all the certified fips modules. Thus naturally assumed the update-fips should update all of them. Manual install instructions are published and provided for customers that prefer to "customize" their fips installations. See, https://assets.ubuntu.com/v1/f35fe02e-Canonical+FIPS+Installation+Instructions.pdf?utm_source=ubunteu&utm_medium=url_shortner&utm_term=fips-install&utm_campaign=shortner

Given that after initial installation, whether done manually or via enable-fips, a customer may have removed fips modules not desired or only installed those desired, the update-fips perhaps should loop thru and see which fips modules are installed, and only update those. In the special case of an update-fips being called where no fips modules have been installed, the script can just install all the updated fips modules similar to the enable-fips.

If that sounds good, then I can open an issue in github to do that.

In regards to fips updates, both potential and existing customers have indicated they would like "updated" fips modules, that is, they want fips modules with bugfixes and CVEs applied and is ok if these "updated" fips modules are not re-certified. They want the fips code paths and fips approved algorithms. For example, not all the fips approved algorithms are in the corresponding, regular version of ssl. We also found this is what several other major Linux distros do as well. So we are giving customers choice of strict fips compliance with fips certified modules from fips ppa and|or the ability to run in "fips mode" with CVEs+bugfixes on top of the fips-certified modules from fips-update ppa. We decided to include that warning or info message in update-fips to do just that, provide info and warn, just in case. Thus absolving us of any potential liability or misunderstanding. Hopefully, that all seems ok. We are learning as we go.