One place that this will help a lot is managing completely offline machines,
like machines for running secure build and signing processes. Right now, in
order to install a package securely on an offline machine, I have to make sure
that the apt-get cache is no older than two weeks, otherwise apt-get considers
the info expired and no longer trusted. It make sense to have a listing of
packages and updates expire. It does not make sense to have the signature on
an individual package expire. Debian does not provide the later option.