Say a vulnerability was merged 1 year ago and it was ACK'd by someone who has since had their PGP compromised. How would you know the ACK was signed ahead of the merge rather than after the key compromise?