Or, you could make use of the Check-Valid-Until and Min-ValidTime options in
apt.conf. There's a reason things are done the way they are, and you probably
aren't going to find a lot of interest in getting people to do a lot of work
to create a system which is duplicative at best and less secure at worst.
Sure, those options would work well for people who understand them and want to
tweak them. I'm not interested in that. I'm currently working on a
TAILS-based system for running build and signing processes on machines that
_never_ go online. So that means that changing the apt config is not an
option. I'm working with apt-offline currently and that helps a lot.
TAILS is a live CD, but provides a method of installing and maintaining new
packages on top of what is provided by the live CD. That means those packages
are stored in an encrypted stash, and are installed on each boot. So in order
to use this feature, the apt cache needs to be refreshed using apt-offline at
least every two weeks, otherwise the packages won't be installed since apt can
no longer validate them.